Aliyun Ubuntu 服务器配置记录

永久修改主机名称

$ cat /etc/hostname 
your-hostname

用户管理

创建用户adduser

$ adduser test
Adding user `test' ...
Adding new group `test' (1006) ...
Adding new user `test' (1006) with group `test' ...
Creating home directory `/home/test' ...
Copying files from `/etc/skel' ...
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
Changing the user information for test
Enter the new value, or press ENTER for the default
	Full Name []: 
	Room Number []: 
	Work Phone []: 
	Home Phone []: 
	Other []: 
Is the information correct? [Y/n] y

删除用户userdel

-f, –force 强制删除用户，即使用户当时已登录，同时删除用户目录和用户邮件

-r, –remove 同时删除用户目录和用户邮件

-R, –root Apply changes in the CHROOT_DIR directory and use the configuration files from the CHROOT_DIR directory.

-Z, –selinux-user Remove any SELinux user mapping for the user’s login.

$ sudo userdel -r test
userdel: test mail spool (/var/mail/test) not found

用户权限设置

1. 添加sudo权限

   usermod -G 27 test #sudo用户组的id为27

SSH安全设置

修改配置信息

vim /etc/ssh/sshd_config

Port 33333					#修改ssh端口,1024~65535之间即可
PermitRootLogin no			#禁止root用户直接登录ssh
AllowUsers test				#仅允许test用户可以ssh登录
PasswordAuthentication no	#禁止密码登录

1. 重启ssh

   service ssh restart

2. 重新加载配置

   sudo /etc/init.d/ssh reload

3. 设置ssh证书登录

   • 生成证书

     ssh-keygen -t rsa

   • 公钥配置在目标机器用户目录

     cat ~/.ssh/authorized_keys
     ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB...TB3qNyetCcT test

4. 私钥配置在源机器用户目录

   cat ~/.ssh/config
   Host pandll-hk
       Hostname 47.52.225.88
       User wayde
       Port 33333
       IdentityFile ~/.ssh/wayde.key
   Host *
       ServerAliveInterval 60

安装openvpn

1. 安装OpenVPN

   • apt-get update
   • apt-get install -y openvpn easy-rsa

2. 建立CA目录

   make-cadir /etc/openvpn/easy-rsa

   or

   mkdir /etc/openvpn/easy-rsa

   cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa

3. 配置CA变量

   export KEY_COUNTRY="CN"
   export KEY_PROVINCE="HK"
   export KEY_CITY="HongKong"
   export KEY_ORG="Pandll"
   export KEY_EMAIL="wayde@pandll.com"
   export KEY_OU="Pandll"
   
   # X509 Subject Field
   export KEY_NAME="PandllRSA"

4. 制作CA证书

   1. source vars
   2. ./clean-all
   3. ./build-ca

5. 制作服务端证书

   1. ./build-key-server PandllRSA
   2. ./build-dh
   3. openvpn --genkey --secret keys/ta.key

6. 制作客户端证书

   ./build-key client-wayde-01
   ./build-key-pass client-wayde-02 #设置密码

7. 配置openvpn服务器

   mkdir /etc/openvpn/config
   cp ca.crt ca.key PandllRSA.crt PandllRSA.key ta.key dh2048.pem /etc/openvpn/config
   cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/config/
   gzip -d server.conf.gz
   # 修改 /etc/openvpn/config/server.conf 文件
   mkdir -p /var/log/openvpn/

8. 启动服务端

   /usr/sbin/openvpn --config /etc/openvpn/config/server.conf --daemon

   or

   systemctl start openvpn@server

   systemctl status openvpn@server

9. 配置客户端

   sudo openvpn /etc/openvpn/config/client.conf > /dev/null &

   如果客户端证书设置了密码，则需要在client.conf中加入下列行，文件中存储密码

   askpass /etc/openvpn/config/private_key_password

10. 客户端分配静态ip

    server.conf

    client-config-dir /etc/openvpn/config/ccd

    cat ccd/common_name

    ifconfig-push 172.10.11.26 172.10.11.27

安装oh-my-zsh

1. 安装zsh

   sudo apt-get install -y zsh git

2. 设置默认shell为zsh

   chsh -s /bin/zsh

   chsh -s $(which zsh)

   sudo usermod -s /bin/zsh username

3. 安装oh-my-zsh

   sh -c "$(curl -fsSL https://raw.github.com/robbyrussell/oh-my-zsh/master/tools/install.sh)"

安装配置Nginx

1. apt-get install -y build-essential libtool libpcre3 libpcre3-dev zlib1g-dev openssl
2. wget http://nginx.org/download/nginx-1.12.2.tar.gz
3. tar -xvf nginx-1.12.2.tar.gz -C nginx
4. ./configure --prefix=/home/service/nginx
5. make
6. make install
7. make clean
8. sudo apt-get install -y nginx

安装LAMP环境

1. sudo apt-get install -y apache2
2. sudo apt-get install -y php
3. sudo apt-get install -y libapache2-mod-php
4. sudo /etc/init.d/apache2 restart
5. sudo apt-get install -y mysql-server mysql-client
6. sudo apt-get install -y libapache2-mod-php7.0 php7.0-mysql
7. sudo apt-get install php7.0-gd php7.0-xml
8. cd /etc/apache2/sites-enabled
9. ln -s ../sites-available/site.conf ./
10. cd /etc/apache2/mods-enabled
11. ln -s ../mods-available/rewrite.load ./

恢复mysql数据库

$ mysql -u root -p

# 创建用户
create user pandll;

# 限制用户只允许本机登录
update mysql.user set Host="localhost" where User="pandll";

# 设置用户密码
update mysql.user set authentication_string = password('123456') where Host = 'localhost' and User = 'pandll';

# 显示存储引擎信息
show engines;

# 创建数据库设置字符集为utf-8
create database pandll default character set `utf8` collate `utf8_unicode_ci`;

# 用户授权
grant select,insert,update,delete on pandll.* to pandll@localhost;

# 切换数据库
use pandll;

# 刷新系统权限
flush privileges;

# 导入sql
source /home/wayde/backup.sql;

搭建Hexo站点

1. sudo apt-get install git

2. sudo apt-get install nodejs npm

3. sudo ln -s /usr/bin/nodejs /usr/bin/node

4. sudo npm i -g hexo hexo-cli

5. sudo adduser blog

6. hexo init blog.pandll.com

7. hexo server -p 10308

8. 安装next主题

   1. git clone --branch v5.1.3 https://github.com/iissnan/hexo-theme-next themes/next
   2. git clone https://github.com/litten/hexo-theme-yilia.git themes/yilia
   3. git clone https://github.com/A-limon/pacman.git themes/pacman

9. 安装hexo插件

   # 生成搜索引擎网站地图
   npm install hexo-generator-sitemap --save
   
   # 自动生成文章目录
   npm install hexo-toc --save
   
   # 固定链接
   npm install hexo-abbrlink --save
   
   # 在文章最末添加永久链接及版权声明
   npm install hexo-addlink --save
   
   # 本地搜索
   npm install hexo-generator-search --save
   
   # 更改首页为任意的页面
   npm install hexo-index-anything --save
   
   # 导航条
   npm install hexo-breadcrumb --save
   
   # 代码高亮
   npm install hexo-filter-highlight --save
   
   # 引用markdown文件
   npm install hexo-include-markdown --save
   
   # seo no follow
   npm install hexo-autonofollow --save
   
   # 文件压缩
   npm install hexo-all-minifier --save
   
   # 卸载插件
   npm uninstall hexo-breadcrumb

1. 添加百度统计

   thems/next/_config.yml

   # Baidu Analytics ID
   baidu_analytics: 54fab7a6da470f69******8485845c02

2. 添加disqus评论

   thems/next/_config.yml

   # Disqus
   disqus:
     enable: true
     shortname: pandll
     count: true

3. 添加livere评论

   # Support for LiveRe comments system.
   # You can get your uid from https://livere.com/insight/myCode (General web site)
   livere_uid: MTAyMC8z******84OTYw

4. 设置ico图标

   thems/next/_config.yml

   favicon:
     small: /images/pandll_16.png
     medium: /images/pandll_32.png
     apple_touch_icon: /images/pandll_180.png
     safari_pinned_tab: /images/pandll_512.svg

申请Let’s Encrypt免费证书

1. sudo apt-get update

2. sudo apt-get install software-properties-common

3. sudo add-apt-repository ppa:certbot/certbot

4. sudo apt-get update

5. sudo apt-get install python-certbot-nginx

6. sudo certbot --nginx

   $ sudo certbot --nginx                     
   Saving debug log to /var/log/letsencrypt/letsencrypt.log
   Plugins selected: Authenticator nginx, Installer nginx
   Enter email address (used for urgent renewal and security notices) (Enter 'c' to
   cancel): wayde@pandll.com
   
   -------------------------------------------------------------------------------
   Please read the Terms of Service at
   https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
   agree in order to register with the ACME server at
   https://acme-v01.api.letsencrypt.org/directory
   -------------------------------------------------------------------------------
   (A)gree/(C)ancel: A
   
   -------------------------------------------------------------------------------
   Would you be willing to share your email address with the Electronic Frontier
   Foundation, a founding partner of the Let\'s Encrypt project and the non-profit
   organization that develops Certbot? We\'d like to send you email about EFF and
   our work to encrypt the web, protect its users and defend digital rights.
   -------------------------------------------------------------------------------
   (Y)es/(N)o: Y
   
   Which names would you like to activate HTTPS for?
   -------------------------------------------------------------------------------
   1: blog.pandll.com
   -------------------------------------------------------------------------------
   Select the appropriate numbers separated by commas and/or spaces, or leave input
   blank to select all options shown (Enter 'c' to cancel): 1
   Obtaining a new certificate
   Performing the following challenges:
   tls-sni-01 challenge for blog.pandll.com
   Cleaning up challenges
   Deployed Certificate to VirtualHost /etc/nginx/sites-enabled/blog.pandll.com for set(['blog.pandll.com'])
   
   Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
   -------------------------------------------------------------------------------
   1: No redirect - Make no further changes to the webserver configuration.
   2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
   new sites, or if you\'re confident your site works on HTTPS. You can undo this
   change by editing your web server\'s configuration.
   -------------------------------------------------------------------------------
   Select the appropriate number [1-2] then [enter] (press 'c' to cancel): c
   
   -------------------------------------------------------------------------------
   Congratulations! You have successfully enabled https://blog.pandll.com
   
   You should test your configuration at:
   https://www.ssllabs.com/ssltest/analyze.html?d=blog.pandll.com
   -------------------------------------------------------------------------------
   
   IMPORTANT NOTES:
    - Congratulations! Your certificate and chain have been saved at:
      /etc/letsencrypt/live/pandll.com/fullchain.pem
      Your key file has been saved at:
      /etc/letsencrypt/live/pandll.com/privkey.pem
      Your cert will expire on 2018-03-12. To obtain a new or tweaked
      version of this certificate in the future, simply run certbot again
      with the "certonly" option. To non-interactively renew *all* of
      your certificates, run "certbot renew"
    - Your account credentials have been saved in your Certbot
      configuration directory at /etc/letsencrypt. You should make a
      secure backup of this folder now. This configuration directory will
      also contain certificates and private keys obtained by Certbot so
      making regular backups of this folder is ideal.
    - If you like Certbot, please consider supporting our work by:
   
      Donating to ISRG / Let\'s Encrypt:   https://letsencrypt.org/donate
      Donating to EFF:                    https://eff.org/donate-le

1. 新增站点

   sudo certbot --nginx certonly

2. 续期证书

   测试续期命令

   sudo certbot renew --dry-run

   续期

   sudo certbot renew

   强制续期

   sudo certbot renew --force-renewal

遇到问题记录

1. perl: warning: Setting locale failed.

   apt-get update

   apt-get install language-pack-zh-hans

2. ssh: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key

   ssh-keygen -t dsa -f /etc/ssh/ssh_host_ed25519_key

3. openvpn 客户端连接上，一直重启

   Connection reset, restarting [-1]

   将连接方式改为udp正常，怀疑跟gfw有关

4. ubuntu apache2 : 403 forbidden

   ubuntu apache2配置文件错误

参考资料:
Ubuntu16.04搭建OpenVPN
Ubuntu 16.04搭建LAMP开发环境
MySQL——修改root密码的4种方法
mysql导入导出sql文件
Hexo文档
iissnan/hexo-theme-next
next主题、评论、阅读量统计和站内搜索
next主题的配置和优化
Nginx on Ubuntu 16.04 (xenial)
如何免费的让网站启用HTTPS