files.gallery的nginx部署备忘录

由于给files.gallery开了全部权限, 防止文件泄露针对location /进行了限制访问.

server {
    server_name gallery.XX.net;
    index index.php;
    root /home/gallery/web;
        location =/ {}
        location / { deny all;}
        location /.well-known/acme-challenge/ { return 200; }
        location ~ \.php(?:$|/) {
                        try_files $uri = 404;
                        fastcgi_pass unix:/dev/shm/php8-fpm.sock;
        }
}

设定ssl证书

dnf install epel-release -y
dnf install certbot python3-certbot-nginx -y
certbot --nginx -d XXX.net --agree-tos -m [email protected]
echo "0 3 * * 6 /usr/bin/certbot renew --quiet"> /etc/cron.d/certbot

使用cloudflare后nginx传递客户端真实ip

主要两个地方注意一下, cloudflare会传送一个CF-Connecting-IP的header参数为访客的真实ip,所以  read_ip读取它.

然后设定REMOTE_ADDR读取IP, 可以从FORWARDED也可以用CF-Connecting-IP参数

set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
real_ip_header CF-Connecting-IP;
proxy_set_header REMOTE_ADDR $HTTP_X_FORWARDED_FOR;

Linux部署snmpd监控服务

yum install snmp -y
cat>/etc/snmp/snmpd.conf<<EOF
sysLocation    Sitting on the Dock of the Bay
sysContact     Me <[email protected]>
sysServices    72
master  agentx
view systemview included .1.3.6.1.2.1
view systemview included .1.3.6.1.2.1.1
view systemview included .1.3.6.1.2.1.25.1.1
view systemview included .1.3.6.1.2.1.2.2.1.1
view   systemonly  included   .1.3.6.1.2.1.1
view   systemonly  included   .1.3.6.1.2.1.25.1
view systemview included .1.3.6.1.2.1.2.2.1
rocommunity  public1611 default 
rocommunity6 public1611 default -V systemonly
createUser snmpname SHA "123pwd" AES "123pwd"
rouser snmpname
usmSecurityLevel authPriv
usmUser snmpname - SHA "123pwd" AES "123pwd"
com2sec readonly  default         public1611
group MyROGroup v2c        readonly
view all    included  .1                               80
access MyROGroup ""      any       noauth    exact  all    none   none
rocommunity public1611
agentaddress udp:127.0.0.1:16100
EOF

iTerm2配色

Import Color Scheme into iTerm2:

  • Open iTerm2.
  • Go to iTerm2 -> Preferences -> Profiles.
  • In the Colors tab, you will see a Color Presets dropdown. Open it.
  • At the bottom of the dropdown, you'll find Import...
https://raw.githubusercontent.com/mbadolato/iTerm2-Color-Schemes/master/schemes/Solarized%20Dark%20Higher%20Contrast.itermcolors

批量下载github打包文件

wget $(curl -s https://api.github.com/repos/ehang-io/nps/releases/latest | grep -oP '"browser_download_url": "\Khttps://[^"]+')

把ehang-io/nps换成你要的github ID和项目地址.

cloudpanel安装swoole扩展

 

 git clone https://github.com/swoole/swoole-src.git &&    cd swoole-src
/usr/bin/phpize8.1 
./configure --enable-sockets  --enable-mysqlnd   --enable-openssl   --enable-swoole-dev   --with-php-config=/usr/bin/php-config8.1
make && make install

echo extension=swoole.so >/etc/php/8.1/cli/conf.d/20-swoole.ini

替代更换api.exchangerate.host的货币汇率接口

api.exchangerate.host 的API不能白嫖了, 找了个新的汇率接口api.vatcomply.com

原有代码

function exchange($from, $to)
{
    try {
        $result = file_get_contents('https://api.exchangerate.host/latest?symbols=' . $to . '&base=' . $from);
        $result = json_decode($result, true);
        return $result['rates'][$to];
    } catch (Exception $e){
        echo "Exchange error: ".$e;
        return "Exchange error: ".$e;
    }

}

更新后

function exchange($from, $to)
{
    try {
        $result = file_get_contents('https://api.vatcomply.com/rates?base='. $from);
        $result = json_decode($result, true);
        return $result['rates'][$to];
    } catch (Exception $e){
        echo "Exchange error: ".$e;
        return "Exchange error: ".$e;
    }

}

Debian运行apt出现Segmentation fault错误

Segmentation fault
E: Sub-process /usr/bin/apt-listchanges --apt || test $? -lt 10 returned an error code (1)
E: Failure running script /usr/bin/apt-listchanges --apt || test $? -lt 10

 

修改/etc/apt/apt.conf.d/20listchanges文件,注释掉第一行.

#DPkg::Pre-Install-Pkgs { "/usr/bin/apt-listchanges --apt || test $? -lt 10"; };

Cisco ASR升级系统备忘录

先准备一个U盘格式化为FAT32格式

将bin pkg  license等文件复制到设备上

enable
cd usb0:
dir
copy usb0:/XXXXX.SPA.bin bootflash:
copy usb0:/XXXXX.SPA.pkg bootflash:
copy usb0:/license.txt flash:
license smart reservation install file flash:license.txt
>conf t
#upgrade rom-monitor filename bootflash:XXXXX.SPA.pkg all
#no boot system flash bootflash:OLD_XXXXX.SPA.bin
#boot system flash bootflash:XXXXX.SPA.bin
#platform hardware throughput level 3500000
#do wr
#do show bootvar
#reload

智能许可: 16.9到最新的17.X所有版本
传统许可: 16.9和更低的版本

新版本用的是license smart , 以前的授权文件无法再使用, 所以要写入新签发的授权数据.

Cisco配置备忘录

弃用10进制显示原文的community参数, 这玩意太容易忘记了.

ip bgp-community new-format

配置ssh免密码登录

转换密钥格式

fold -b -w 72 ~/.ssh/id_rsa.pub

准备提取复制ssh-rsa到最后comment的中间一段密钥

开始配置设备

hostname Router-R1
crypto key generate rsa modulus 2048
ip ssh version 2
!
line vty 0 4
transport input ssh
login local
!
no ip ssh server authenticate user password
no ip ssh server authenticate user keyboard
!

导入密钥步骤

Router-R1(config)#ip ssh pubkey-chain 
Router-R1(conf-ssh-pubkey)#username 用户名
Router-R1(conf-ssh-pubkey-user)#key-string
Router-R1(conf-ssh-pubkey-data)#粘贴密钥
Router-R1(conf-ssh-pubkey-data)#exit
Router-R1(conf-ssh-pubkey-user)#exit
Router-R1(conf-ssh-pubkey)#exit
Router-R1(config)# do wr

查看配置内容

Router-R1#show running-config | begin pubkey   
ip ssh pubkey-chain
  username 用户名
   key-hash ssh-rsa 8FB4F858DD7E5AFB372780EC653DB371
  quit

这些配置除了上新设备不常用容易忘记, 仅做备忘.

 

对端口进行白名单限制登录设置

ip access-list extended ssh-permit
 permit ip 10.11.80.0 0.0.1.255 any
!
line vty 0 4 
 access-class ssh-permit in

配置Telnet

line vty 5 15
 access-class ssh-permit in
 login local
 transport input telnet

 

原文出处:https://networklessons.com/uncategorized/ssh-public-key-authentication-cisco-ios

openssh-client不保存登陆数据

cat>>.ssh/config<<EOF
 StrictHostKeyChecking=no
 UserKnownHostsFile=/dev/null
EOF
  • -o StrictHostKeyChecking=no 选项告诉SSH客户端不要检查known_hosts文件中的主机密钥。
  • -o UserKnownHostsFile=/dev/null 选项告诉SSH客户端不要将主机密钥保存到任何文件中。

umami部署记录

安装

yum install nodejs git -y
npm install forever -g
npm install  yarn -g
yarn global add pm2
mkdir /app/
cd /app/
git clone https://github.com/umami-software/umami.git
cd umami
yarn install
cat>.env<<EOF
DATABASE_URL=mysql://root:password@localhost:3306/umami
BASE_PATH = /analytics
EOF
yarn build
yarn start
pm2 start yarn --name umami -- start
pm2 startup
pm2 save

升级

cd /app/umami
#拉取仓库
git pull
#安装
yarn install
#构建项目
yarn build
#更新数据库
yarn update-db
pm2 restart umami 

nginx反向代理配置

  location /analytics {
    proxy_pass http://localhost:3000;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }

nvme软RAID10设置

yum install  nvme-cli mdadm -y

先用nvme tool清理一遍磁盘

nvme list   #查看所有nvme磁盘 
nvme format -s1   /dev/nvme{0..11}n1 --force

wipefs清理一遍,然后mdadm建立阵列

wipefs -a /dev/nvme{0..11}n1
for i in {0..11};do
    parted -s -a optimal /dev/nvme${i}n1 mklabel gpt
    parted -s -a optimal /dev/nvme${i}n1 mkpart primary 0% 100%
    parted -s -a optimal /dev/nvme${i}n1 set 1 raid on
    parted -s -a optimal /dev/nvme${i}n1 name 1 raid_part
done

mdadm --create /dev/md10 --run --level=10 --raid-devices=12 /dev/nvme{0..11}n1p1

cat /proc/mdstat      #查看阵列状态
mdadm --detail /dev/md10  #查看阵列信息

检测下硬盘是否有阵列信息

 mdadm --examine /dev/nvme{0..11}n1

#保存阵列信息

 mdadm --detail --scan --verbose >> /etc/mdadm.conf  

 

跑下DD测试

dd if=/dev/zero of=test bs=64k count=4k oflag=dsync
dd if=/dev/zero of=test bs=8k count=256k conv=fdatasync

跑下fio测试

  fio --filename=/dev/md10 --direct=1 --rw=randread --bs=4k --ioengine=libaio --iodepth=256 --runtime=120 --numjobs=4 --time_based --group_reporting --name=iops-test-job --eta-newline=1 --readonly

 

顺道创建个lvm玩玩

yum install lvm2 -y
pvcreate  /dev/md10
vgcreate vg0   /dev/md10
lvcreate -n test -L 20G vg0
mkfs.ext4 /dev/vg0/test
mount /dev/vg0/test /mnt

新加坡数据中心一览

 Global Switch/ Equinix DRT/Telin 为大多数人托管机柜比较多

本地运营商M1net的机房价格比较便宜, 但一般只有3kva电每个柜子,

singtel的机房本人了解不多.

Local Loop业务 SG.GS做的很全.


M1 MiWorld
M1
9 International Business Park, 609915, Singapore

Racks Central
Racks Central Pte Ltd
23 Tai Seng Drive Singapore 535224
535224 Singapore

Equinix SG3
26A Ayer Rajah Crescent, Singapore

Equnix SG2
15 Pioneer Walk, #04-01, Singapore, SG, 627753

Equinix SG1
20 Ayer Rajah Crescent, Singapore

阅读剩余部分...

FriendlyElec NanoPi R5S

最近入手了FriendlyElec NanoPi R5S

金属壳子和树莓派亚克力壳子一样大小.

m2 2208的 4T的ssd插进去只能识别用到2T容量