certbot使用cloudflare的api签发ssl

先去cloudflare上申请IP https://dash.cloudflare.com/profile/api-tokens

在Edit zone DNS的模版下授权可以修改DNS的域名

写入API配置

echo " dns_cloudflare_api_token = XXXXXXXXXXXXXXXXXXXXXx" >/root/cloudflare.ini

安装和签发ssl

dnf install -y epel-release
dnf install -y certbot certbot-dns-cloudflare python*-certbot-dns-cloudflare
certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/cloudflare.ini -d kvm.la

WHMCS模版直接掉调用产品数据

{php}
$postData = array('gid' => '1',);
$results = localAPI('GetProducts', $postData, 'admin');
//print_r( $results);

foreach ($results['products']['product'] as $product) {
$description =$product['description'];
$description = str_replace(array('<ul>', '</ul>'), '', $description);
$description = str_replace('<li>', '<td>', $description);
$description = str_replace('</li>', '</td>', $description);
        $getProducts[] = array(
        'name' => $product['name'],
        'url' => $product['product_url'],
        'desc' => $description,
        'prefix' => $product['pricing']['USD']['prefix'],
        'price' => $product['pricing']['USD']['monthly'],
    );
}
$_smarty_tpl->assign('getProducts', $getProducts);
{/php}

{foreach $getProducts as $value }
                                <tr>
                                {$value.desc}
                                    <td><span class="price">{$value.prefix}{$value.price}<span>/MRC</span></span> </td>
                                    <td><a href="{$value.url}" class="btn btn-success">Order</a>
                                    </td>
</tr>
{/foreach}

 蒲公英路由X4C安装frp服务

X4C用来做机房外带管理,  直接穿透外网访问串口服务器等等.
 
 
-----解锁SSH-----
http://10.168.1.1/cgi-bin/oraybox?_api=ssh_set&enabled=1
或者备份数据用7zip打开下载的文件找到etc/config/system修改ssh选项为1 再导入备份重启就可以连接ssh了
5.5.0以上版本密码为oray@12#$%^78
5.5.0以下是admin
 
wget https://github.com/kuoruan/openwrt-frp/releases/download/v0.37.1-1/frpc_0.37.1-1_mipsel_24kc.ipk --no-check-certificate
opkg install frpc_*.ipk

这里备注一下需要mipsel_24kc版本,折腾了大半天走了不少弯路,执行opkg update才发现这个版本能安装.

0.37.1以上版本报错

"Error relocating /usr/bin/frpc: __nanosleep_time64: symbol not found"

frpc.ini配置文件

 cat>/etc/frpc.ini<<EOF
[common]
server_addr = frps.server
server_port = 7000
token = password
log_level = debug
log_max_days = 3
use_compression = true
login_fail_exit = false

[rand-ssh]
type = tcp
local_ip = 0.0.0.0
local_port = 22
remote_port = 0
EOF

启动文件

cat>/etc/init.d/frpc<<EOF
#!/bin/sh /etc/rc.common
START=99
start() {
        sleep 20; nohup /usr/bin/frpc -c /etc/frpc.ini >/root/nohup.out 2>&1 &
}
stop() {
        kill -9 `ps | grep '/usr/bin/frpc' | grep -v 'grep' | awk '{print $1}'`
}
EOF
chmod 755 /etc/init.d/frpc
/etc/init.d/frpc enable && echo on
/etc/init.d/frpc  start

启动文件有点简单粗暴

 

 

超微设置ipmi端口

#获取网卡模式状态
ipmitool raw 0x30 0x70 0x0c 0.

#设置独立网卡模式
ipmitool raw 0x30 0x70 0x0c 1 0.

#设置公网IP共享模式
ipmitool raw 0x30 0x70 0x0c 1 1.

#设置成failover模式
 ipmitool raw 0x30 0x70 0x0c 1 2.

windows版本ipmitool  https://kvm.la/ipmitool-for-windows.html

ConvoyPanel整合coterm的novnc代理服务

官方使用的docker部署, 这里折腾了下改为系统直接安装了

安装好后丢caddy或者nginx反向代理一下就好了, 我这直接用cloudflare的隧道进行代理了.

安装

mkdir  /home/coterm/public -p
cd  /home/coterm/public 
git clone https://github.com/novnc/noVNC

cd /tmp
git clone "https://github.com/ConvoyPanel/coterm.git"
cd coterm
npm install
npm run build
cp -rf  ./build/*   /home/coterm/public/
#编译coterm主程序
cd ./src-rust
cargo run
cargo build --release
install  target/release/coterm /home/coterm/

 环境变量配置

cat>/home/coterm/.env<<EOF
CONVOY_URL=https://XXX.XXXX. XX    #面板地址
COTERM_TOKEN="XXXXX"
BACKEND_PORT=2600
DANGEROUS_DISABLE_TLS_VERIFICATION=false
RUST_BACKTRACE="full"
EOF

系统服务

cat>/etc/systemd/system/coterm.service<<EOF
[Unit]
Description=Coterm Service
After=network.target nss-lookup.target

[Service]
Type = simple
EnvironmentFile=/home/coterm/.env
ExecStart=/home/coterm/coterm
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

convoypanel面板部署备忘录

这里没有采用官方的docker安装方式, 直接源码进行安装

yum install redis git epel-*

SETPATH=/home/pve/  #设置安装目录
mkdir -p $SETPATH
cd $SETPATH

# 将php artisan horizon:work加入系统服务运行
cat>/etc/systemd/system/pve.service<<EOF
[Unit]
Description=Convoy Service
After=network.target nss-lookup.target

[Service]
Type = simple
ExecStart=/usr/bin/php $SETPATH/artisan horizon:work
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

wget https://github.com/convoypanel/panel/releases/latest/download/panel.tar.gz -O - | tar xz
chmod -R o+w storage/* bootstrap/cache/
composer install --no-dev --optimize-autoloader

设置配置文件

cp .env.example .env
vim .env

这里主要是设置数据库和redis

完善配置(主要是配置登录账户)

php artisan key:generate --force  #生成加盐
php artisan optimize
php artisan migrate --force   #导入数据库
php artisan c:user:make   #生成账户

启用守护进程

systemctl enable pve --now

其他的php和web设置就不复述了, 官方文档主少提了要守护进程运行php artisan horizon:work所以写这篇文章记录一下.

整合NoVNC

登录PVE宿主节点运行

wget https://github.com/convoypanel/broker/releases/latest/download/broker.tar.gz -O - | tar xz -C /

Squid透明代理-多公网IP指定出口IP

安装Squid

yum -y install squid
mkdir -p /home/squid/logs  /home/squid/coredump_dir /home/squid/cache_dir
chown squid.squid -R  /home/squid/
systemctl enable squid

squid.conf配置内容

cat /etc/squid/squid.conf
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed 允许访问IP(只允许这个ip做代理请求)
acl allowip src 14.29.10.100

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

# set out - ip 配置出口IP
acl ip118 myip 14.29.10.118
acl ip119 myip 14.29.10.119
acl ip120 myip 14.29.10.120

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow allowip

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
# 设置代理端口
http_port 3228

#set out-ip 多公网IP关键配置;下面的配置是指
#若使用代理IP14.29.10.118则走ip118的ip(14.29.10.118);
#若使用代理IP14.29.10.119则走ip119的ip(14.29.10.119);
#若使用代理IP14.29.10.120则走ip120的ip(14.29.10.120)
tcp_outgoing_address 14.29.10.118 ip118
tcp_outgoing_address 14.29.10.119 ip119
tcp_outgoing_address 14.29.10.120 ip120

# Squid set log path etc.
dns_nameservers 8.8.8.8
visible_hostname aliserver

#透明代理关键配置
request_header_access Via deny all
request_header_access X-Forwarded-For deny all


cache_mem 100 MB
cache_swap_low 90
cache_swap_high 95

cache_dir ufs /home/squid/cache_dir 100 16 256
cache_access_log /home/squid/logs/access.log
cache_log /home/squid/logs/cache.log
cache_store_log /home/squid/logs/store.log

coredump_dir /home/squid/coredump_dir

pid_filename /home/squid/squid.pid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

验证代理

export https_proxy=http://127.0.0.1:3228 http_proxy=http://127.0.0.1:3228

curl icanhazip.com
curl curlmyip.com
curl ip.appspot.com
curl ipinfo.io/ip
curl ipecho.net/plain
curl www.trackip.net/i

#补充
curl ip.sb
curl ip.6655.com/ip.aspx
curl whatismyip.akamai.com
wget -qO - ifconfig.co
dig &#43;short myip.opendns.com &#64;resolver1.opendns.com
curl ident.me
curl v4.ident.me
curl v6.ident.me
curl inet-ip.info

#返回IP和地区
curl ip.6655.com/ip.aspx?area&#61;1
curl 1111.ip138.com/ic.asp
curl ip.cn
curl cip.cc

华为路由常用命令备忘录

stelnet 192.168.99.1 22    #登录其他设备ssh
display logbuffer  #查看缓冲日志
display fib slot 3   #查看板卡FIB
display memory   #查看内存
display ip routing-table vpn-instance vrf1    #查看vrf路由表
display ip routing-table   #查看默认路由表
disply bgp peer  #查看bgp peer
display bgp routing-table 1.0.0.0    #查看1.0.0.0 的路由信息
display bgp routing-table   community #查看路由表的community
display bgp routing-table  regular-expression 174    #正则匹配as的路由表
display bgp routing-table  regular-expression  ^174_ #正则匹配as174开头的路由表
display bgp routing-table  regular-expression  _174$ #正则匹配as174结尾的路由表
display bgp routing-table  regular-expression _(4808|4837|9929|10099)    #正则匹配联通as的路由表
display bgp routing-table  regular-expression  _(4134|4809_4134)        #正则匹配电信as的路由表
display bgp routing-table  peer X.X.X.X  accepted-routes   #查看bgp邻居收到的路由表
display bgp routing-table  peer X.X.X.X    advertised-routes     #查看bgp邻居发出的路由表

display bgp ipv6 routing-table   #查看路由表
display bgp ipv6  peer  #查看ipv6 bgp session
display bgp ipv6 routing-table  peer   XX:XX:XX  advertised-routes  #查看IPv6 bgp邻居发出的路由表

display interface brief  #查看端口状态
display interface  GigabitEthernet0/3/0  #查看端口信息,例如spf光信号等

#设置vrf
#
ip vpn-instance vrf1
 ipv4-family
  route-distinguisher 999:2
  apply-label per-route
  ip direct-routing-table route-policy HE-IN
  vpn-target 999:2 export-extcommunity
  vpn-target 999:2 import-extcommunity
#
bgp 999
 ipv4-family vpn-instance Local_SG
  import-route direct
  import-route static
  import-route ospf 100
  active-route-advertise
  ext-community-change enable
  import-rib public route-policy HE-IN
  peer X.X.X.X as-number 888
  peer X.X.X.X timer keepalive 10 hold 180
  peer X.X.X.X password simple PASSWORD
  peer  X.X.X.X route-policy IX-IN import
  peer  X.X.X.Xroute-policy IX-ipv4-out export
#
ip route-static vpn-instance vrf1 <目的网络> <目的子网掩码> <下一跳地址>   #设置ip段vrf出口

Linux转移执行中的进程

有时候跑一个长期运行的命令, 或者突然掉线重新连接后进程还在需要把进程调出来继续执行,

或者是将现有的进程丢进screen里面继续后台运行.

 这时候reptyr就派上用场了

yum install reptyr -y
reptyr 进程PID

 

在centos上使用snapd进行安装app

现在用snap商店安装软件越来越频繁了, 而且众多linux发行版都支持了.

sudo yum install snapd
sudo systemctl enable --now snapd.socket
sudo systemctl start snapd.socket
sudo ln -s /var/lib/snapd/snap /snap
export PATH="$PATH:/snap/bin"
 echo 'export PATH="$PATH:/snap/bin"' >> $HOME/.bashrc

安装一个 flutter压压惊

sudo yum install epel-release -y
sudo yum install clang cmake ninja-build pkgconfig gtk3-devel xz-devel gtk3-devel -y
snap install flutter --classic

 

php简繁转换安装部署

yum install epel-release -y
yum install  doxygen -y
git clone https://github.com/BYVoid/OpenCC.git
cd OpenCC
make
sudo make install

git clone https://github.com/nauxliu/opencc4php
cd opencc4php
phpize
./configure
 make && sudo make install
echo  extension=opencc.so >> /opt/php7/etc/php.d/1-opencc.ini

 

 composer载入php-opencc

 composer require overtrue/php-opencc -vvv

 

 

 

 

 

 

solusvm vps初始化swap和划分容量到根分区

swapoff /dev/vda2;
mkswap /dev/vda2;
swapon /dev/vda2;
resize2fs /dev/vda1;
yum -y update;systemctl disable guestfs-firstboot;
rebootp

记录一次linux模版封装踩坑

1. kvm运行Centos9/almalinux-9 出现kernel panic  , 改qemu的cpu模式为 host-model 解决 (前两年其实就踩过了没记录给忘记了)

2.系统模版封装

下载转换qcow2为raw

qemu-img convert centos9-stream.qcow2 centos9-stream.raw

#挂载修改文件
kpartx -av centos9-stream.raw
mount /dev/mapper/loop0p2  /mnt
umount /mnt
#### 咔咔咔一顿更改设置

#这里直接先安装一个现有的操作系统, 然后dd写入分区文件,(主要是懒不想去自己封装系统,拿现成的)
kpartx  /dev/mapper/vg0-kvmXXXX_img
dd_rescue /dev/mapper/loop0p2   /dev/mapper/vg0-kvmXXXX_img1

mount --bind /dev /mnt/dev
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys
chroot /mnt
grub2-install /dev/sdXXXXX     #重写引导信息
exit

rm -r  /mnt/root/.bash_history   #删除操作记录
umount /mnt/dev
umount /mnt/proc
umount /mnt/sys
umount /mnt/
kpartx -dv /dev/mapper/vg0-kvmXXXX_img


/scripts/kvmtemplate --generation=2  --mode=package  --vmid=kvmXXXX  #重新打包模版


cloudinit 转solusvm 模版偷梁换柱完事

solusvm官方没更新模版了, 这次给遗留的机器加上最新系统的模版

files.gallery的nginx部署备忘录

由于给files.gallery开了全部权限, 防止文件泄露针对location /进行了限制访问.

server {
    server_name gallery.XX.net;
    index index.php;
    root /home/gallery/web;
        location =/ {}
        location / { deny all;}
        location /.well-known/acme-challenge/ { return 200; }
        location ~ \.php(?:$|/) {
                        try_files $uri = 404;
                        fastcgi_pass unix:/dev/shm/php8-fpm.sock;
        }
}

设定ssl证书

dnf install epel-release -y
dnf install certbot python3-certbot-nginx -y
certbot --nginx -d XXX.net --agree-tos -m [email protected]
echo "0 3 * * 6 /usr/bin/certbot renew --quiet"> /etc/cron.d/certbot

使用cloudflare后nginx传递客户端真实ip

主要两个地方注意一下, cloudflare会传送一个CF-Connecting-IP的header参数为访客的真实ip,所以  read_ip读取它.

然后设定REMOTE_ADDR读取IP, 可以从FORWARDED也可以用CF-Connecting-IP参数

set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
real_ip_header CF-Connecting-IP;
proxy_set_header REMOTE_ADDR $HTTP_X_FORWARDED_FOR;