ConvoyPanel整合coterm的novnc代理服务

官方使用的docker部署, 这里折腾了下改为系统直接安装了

安装好后丢caddy或者nginx反向代理一下就好了, 我这直接用cloudflare的隧道进行代理了.

安装

mkdir  /home/coterm/public -p
cd  /home/coterm/public 
git clone https://github.com/novnc/noVNC

cd /tmp
git clone "https://github.com/ConvoyPanel/coterm.git"
cd coterm
npm install
npm run build
cp -rf  ./build/*   /home/coterm/public/
#编译coterm主程序
cd ./src-rust
cargo run
cargo build --release
install  target/release/coterm /home/coterm/

 环境变量配置

cat>/home/coterm/.env<<EOF
CONVOY_URL=https://XXX.XXXX. XX    #面板地址
COTERM_TOKEN="XXXXX"
BACKEND_PORT=2600
DANGEROUS_DISABLE_TLS_VERIFICATION=false
RUST_BACKTRACE="full"
EOF

系统服务

cat>/etc/systemd/system/coterm.service<<EOF
[Unit]
Description=Coterm Service
After=network.target nss-lookup.target

[Service]
Type = simple
EnvironmentFile=/home/coterm/.env
ExecStart=/home/coterm/coterm
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

convoypanel面板部署备忘录

这里没有采用官方的docker安装方式, 直接源码进行安装

yum install redis git epel-*

SETPATH=/home/pve/  #设置安装目录
mkdir -p $SETPATH
cd $SETPATH

# 将php artisan horizon:work加入系统服务运行
cat>/etc/systemd/system/pve.service<<EOF
[Unit]
Description=Convoy Service
After=network.target nss-lookup.target

[Service]
Type = simple
ExecStart=/usr/bin/php $SETPATH/artisan horizon:work
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

wget https://github.com/convoypanel/panel/releases/latest/download/panel.tar.gz -O - | tar xz
chmod -R o+w storage/* bootstrap/cache/
composer install --no-dev --optimize-autoloader

设置配置文件

cp .env.example .env
vim .env

这里主要是设置数据库和redis

完善配置(主要是配置登录账户)

php artisan key:generate --force  #生成加盐
php artisan optimize
php artisan migrate --force   #导入数据库
php artisan c:user:make   #生成账户

启用守护进程

systemctl enable pve --now

其他的php和web设置就不复述了, 官方文档主少提了要守护进程运行php artisan horizon:work所以写这篇文章记录一下.

整合NoVNC

登录PVE宿主节点运行

wget https://github.com/convoypanel/broker/releases/latest/download/broker.tar.gz -O - | tar xz -C /

Squid透明代理-多公网IP指定出口IP

安装Squid

yum -y install squid
mkdir -p /home/squid/logs  /home/squid/coredump_dir /home/squid/cache_dir
chown squid.squid -R  /home/squid/
systemctl enable squid

squid.conf配置内容

cat /etc/squid/squid.conf
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed 允许访问IP(只允许这个ip做代理请求)
acl allowip src 14.29.10.100

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

# set out - ip 配置出口IP
acl ip118 myip 14.29.10.118
acl ip119 myip 14.29.10.119
acl ip120 myip 14.29.10.120

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow allowip

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
# 设置代理端口
http_port 3228

#set out-ip 多公网IP关键配置;下面的配置是指
#若使用代理IP14.29.10.118则走ip118的ip(14.29.10.118);
#若使用代理IP14.29.10.119则走ip119的ip(14.29.10.119);
#若使用代理IP14.29.10.120则走ip120的ip(14.29.10.120)
tcp_outgoing_address 14.29.10.118 ip118
tcp_outgoing_address 14.29.10.119 ip119
tcp_outgoing_address 14.29.10.120 ip120

# Squid set log path etc.
dns_nameservers 8.8.8.8
visible_hostname aliserver

#透明代理关键配置
request_header_access Via deny all
request_header_access X-Forwarded-For deny all


cache_mem 100 MB
cache_swap_low 90
cache_swap_high 95

cache_dir ufs /home/squid/cache_dir 100 16 256
cache_access_log /home/squid/logs/access.log
cache_log /home/squid/logs/cache.log
cache_store_log /home/squid/logs/store.log

coredump_dir /home/squid/coredump_dir

pid_filename /home/squid/squid.pid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

验证代理

export https_proxy=http://127.0.0.1:3228 http_proxy=http://127.0.0.1:3228

curl icanhazip.com
curl curlmyip.com
curl ip.appspot.com
curl ipinfo.io/ip
curl ipecho.net/plain
curl www.trackip.net/i

#补充
curl ip.sb
curl ip.6655.com/ip.aspx
curl whatismyip.akamai.com
wget -qO - ifconfig.co
dig &#43;short myip.opendns.com &#64;resolver1.opendns.com
curl ident.me
curl v4.ident.me
curl v6.ident.me
curl inet-ip.info

#返回IP和地区
curl ip.6655.com/ip.aspx?area&#61;1
curl 1111.ip138.com/ic.asp
curl ip.cn
curl cip.cc

华为路由常用命令备忘录

stelnet 192.168.99.1 22    #登录其他设备ssh
display logbuffer  #查看缓冲日志
display fib slot 3   #查看板卡FIB
display memory   #查看内存
display ip routing-table vpn-instance vrf1    #查看vrf路由表
display ip routing-table   #查看默认路由表
disply bgp peer  #查看bgp peer
display bgp routing-table 1.0.0.0    #查看1.0.0.0 的路由信息
display bgp routing-table   community #查看路由表的community
display bgp routing-table  regular-expression 174    #正则匹配as的路由表
display bgp routing-table  regular-expression  ^174_ #正则匹配as174开头的路由表
display bgp routing-table  regular-expression  _174$ #正则匹配as174结尾的路由表
display bgp routing-table  regular-expression _(4808|4837|9929|10099)    #正则匹配联通as的路由表
display bgp routing-table  regular-expression  _(4134|4809_4134)        #正则匹配电信as的路由表
display bgp routing-table  peer X.X.X.X  accepted-routes   #查看bgp邻居收到的路由表
display bgp routing-table  peer X.X.X.X    advertised-routes     #查看bgp邻居发出的路由表

display bgp ipv6 routing-table   #查看路由表
display bgp ipv6  peer  #查看ipv6 bgp session
display bgp ipv6 routing-table  peer   XX:XX:XX  advertised-routes  #查看IPv6 bgp邻居发出的路由表

display interface brief  #查看端口状态
display interface  GigabitEthernet0/3/0  #查看端口信息,例如spf光信号等

#设置vrf
#
ip vpn-instance vrf1
 ipv4-family
  route-distinguisher 999:2
  apply-label per-route
  ip direct-routing-table route-policy HE-IN
  vpn-target 999:2 export-extcommunity
  vpn-target 999:2 import-extcommunity
#
bgp 999
 ipv4-family vpn-instance Local_SG
  import-route direct
  import-route static
  import-route ospf 100
  active-route-advertise
  ext-community-change enable
  import-rib public route-policy HE-IN
  peer X.X.X.X as-number 888
  peer X.X.X.X timer keepalive 10 hold 180
  peer X.X.X.X password simple PASSWORD
  peer  X.X.X.X route-policy IX-IN import
  peer  X.X.X.Xroute-policy IX-ipv4-out export
#
ip route-static vpn-instance vrf1 <目的网络> <目的子网掩码> <下一跳地址>   #设置ip段vrf出口

Linux转移执行中的进程

有时候跑一个长期运行的命令, 或者突然掉线重新连接后进程还在需要把进程调出来继续执行,

或者是将现有的进程丢进screen里面继续后台运行.

 这时候reptyr就派上用场了

yum install reptyr -y
reptyr 进程PID

 

在centos上使用snapd进行安装app

现在用snap商店安装软件越来越频繁了, 而且众多linux发行版都支持了.

sudo yum install snapd
sudo systemctl enable --now snapd.socket
sudo systemctl start snapd.socket
sudo ln -s /var/lib/snapd/snap /snap
export PATH="$PATH:/snap/bin"
 echo 'export PATH="$PATH:/snap/bin"' >> $HOME/.bashrc

安装一个 flutter压压惊

sudo yum install epel-release -y
sudo yum install clang cmake ninja-build pkgconfig gtk3-devel xz-devel gtk3-devel -y
snap install flutter --classic

 

php简繁转换安装部署

yum install epel-release -y
yum install  doxygen -y
git clone https://github.com/BYVoid/OpenCC.git
cd OpenCC
make
sudo make install

git clone https://github.com/nauxliu/opencc4php
cd opencc4php
phpize
./configure
 make && sudo make install
echo  extension=opencc.so >> /opt/php7/etc/php.d/1-opencc.ini

 

 composer载入php-opencc

 composer require overtrue/php-opencc -vvv

 

 

 

 

 

 

solusvm vps初始化swap和划分容量到根分区

swapoff /dev/vda2;
mkswap /dev/vda2;
swapon /dev/vda2;
resize2fs /dev/vda1;
yum -y update;systemctl disable guestfs-firstboot;
rebootp

记录一次linux模版封装踩坑

1. kvm运行Centos9/almalinux-9 出现kernel panic  , 改qemu的cpu模式为 host-model 解决 (前两年其实就踩过了没记录给忘记了)

2.系统模版封装

下载转换qcow2为raw

qemu-img convert centos9-stream.qcow2 centos9-stream.raw

#挂载修改文件
kpartx -av centos9-stream.raw
mount /dev/mapper/loop0p2  /mnt
umount /mnt
#### 咔咔咔一顿更改设置

#这里直接先安装一个现有的操作系统, 然后dd写入分区文件,(主要是懒不想去自己封装系统,拿现成的)
kpartx  /dev/mapper/vg0-kvmXXXX_img
dd_rescue /dev/mapper/loop0p2   /dev/mapper/vg0-kvmXXXX_img1

mount --bind /dev /mnt/dev
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys
chroot /mnt
grub2-install /dev/sdXXXXX     #重写引导信息
exit

rm -r  /mnt/root/.bash_history   #删除操作记录
umount /mnt/dev
umount /mnt/proc
umount /mnt/sys
umount /mnt/
kpartx -dv /dev/mapper/vg0-kvmXXXX_img


/scripts/kvmtemplate --generation=2  --mode=package  --vmid=kvmXXXX  #重新打包模版


cloudinit 转solusvm 模版偷梁换柱完事

solusvm官方没更新模版了, 这次给遗留的机器加上最新系统的模版

files.gallery的nginx部署备忘录

由于给files.gallery开了全部权限, 防止文件泄露针对location /进行了限制访问.

server {
    server_name gallery.XX.net;
    index index.php;
    root /home/gallery/web;
        location =/ {}
        location / { deny all;}
        location /.well-known/acme-challenge/ { return 200; }
        location ~ \.php(?:$|/) {
                        try_files $uri = 404;
                        fastcgi_pass unix:/dev/shm/php8-fpm.sock;
        }
}

设定ssl证书

dnf install epel-release -y
dnf install certbot python3-certbot-nginx -y
certbot --nginx -d XXX.net --agree-tos -m [email protected]
echo "0 3 * * 6 /usr/bin/certbot renew --quiet"> /etc/cron.d/certbot

使用cloudflare后nginx传递客户端真实ip

主要两个地方注意一下, cloudflare会传送一个CF-Connecting-IP的header参数为访客的真实ip,所以  read_ip读取它.

然后设定REMOTE_ADDR读取IP, 可以从FORWARDED也可以用CF-Connecting-IP参数

set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
real_ip_header CF-Connecting-IP;
proxy_set_header REMOTE_ADDR $HTTP_X_FORWARDED_FOR;

Linux部署snmpd监控服务

yum install snmp -y
cat>/etc/snmp/snmpd.conf<<EOF
sysLocation    Sitting on the Dock of the Bay
sysContact     Me <[email protected]>
sysServices    72
master  agentx
view systemview included .1.3.6.1.2.1
view systemview included .1.3.6.1.2.1.1
view systemview included .1.3.6.1.2.1.25.1.1
view systemview included .1.3.6.1.2.1.2.2.1.1
view   systemonly  included   .1.3.6.1.2.1.1
view   systemonly  included   .1.3.6.1.2.1.25.1
view systemview included .1.3.6.1.2.1.2.2.1
rocommunity  public1611 default 
rocommunity6 public1611 default -V systemonly
createUser snmpname SHA "123pwd" AES "123pwd"
rouser snmpname
usmSecurityLevel authPriv
usmUser snmpname - SHA "123pwd" AES "123pwd"
com2sec readonly  default         public1611
group MyROGroup v2c        readonly
view all    included  .1                               80
access MyROGroup ""      any       noauth    exact  all    none   none
rocommunity public1611
agentaddress udp:127.0.0.1:16100
EOF

iTerm2配色

Import Color Scheme into iTerm2:

  • Open iTerm2.
  • Go to iTerm2 -> Preferences -> Profiles.
  • In the Colors tab, you will see a Color Presets dropdown. Open it.
  • At the bottom of the dropdown, you'll find Import...
https://raw.githubusercontent.com/mbadolato/iTerm2-Color-Schemes/master/schemes/Solarized%20Dark%20Higher%20Contrast.itermcolors

批量下载github打包文件

wget $(curl -s https://api.github.com/repos/ehang-io/nps/releases/latest | grep -oP '"browser_download_url": "\Khttps://[^"]+')

把ehang-io/nps换成你要的github ID和项目地址.

cloudpanel安装swoole扩展

 

 git clone https://github.com/swoole/swoole-src.git &&    cd swoole-src
/usr/bin/phpize8.1 
./configure --enable-sockets  --enable-mysqlnd   --enable-openssl   --enable-swoole-dev   --with-php-config=/usr/bin/php-config8.1
make && make install

echo extension=swoole.so >/etc/php/8.1/cli/conf.d/20-swoole.ini