Aliyun Ubuntu 服务器配置记录

永久修改主机名称

$ cat /etc/hostname 
your-hostname

用户管理

创建用户adduser

$ adduser test
Adding user `test' ...
Adding new group `test' (1006) ...
Adding new user `test' (1006) with group `test' ...
Creating home directory `/home/test' ...
Copying files from `/etc/skel' ...
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
Changing the user information for test
Enter the new value, or press ENTER for the default
    Full Name []: 
    Room Number []: 
    Work Phone []: 
    Home Phone []: 
    Other []: 
Is the information correct? [Y/n] y

删除用户userdel

-f, –force 强制删除用户,即使用户当时已登录,同时删除用户目录和用户邮件

-r, –remove 同时删除用户目录和用户邮件

-R, –root Apply changes in the CHROOT_DIR directory and use the configuration files from the CHROOT_DIR directory.

-Z, –selinux-user Remove any SELinux user mapping for the user’s login.

$ sudo userdel -r test
userdel: test mail spool (/var/mail/test) not found

用户权限设置

  1. 添加sudo权限

    usermod -G 27 test #sudo用户组的id为27

SSH安全设置

修改配置信息

vim /etc/ssh/sshd_config

Port 33333                    #修改ssh端口,1024~65535之间即可
PermitRootLogin no            #禁止root用户直接登录ssh
AllowUsers test                #仅允许test用户可以ssh登录
PasswordAuthentication no    #禁止密码登录
  1. 重启ssh

    service ssh restart

  2. 重新加载配置

    sudo /etc/init.d/ssh reload

  3. 设置ssh证书登录

    • 生成证书

      ssh-keygen -t rsa

    • 公钥配置在目标机器用户目录

      cat ~/.ssh/authorized_keys
      ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB...TB3qNyetCcT test
      
  4. 私钥配置在源机器用户目录

    cat ~/.ssh/config
    Host pandll-hk
        Hostname 47.52.225.88
        User wayde
        Port 33333
        IdentityFile ~/.ssh/wayde.key
    Host *
        ServerAliveInterval 60
    

安装openvpn

  1. 安装OpenVPN

    • apt-get update
    • apt-get install -y openvpn easy-rsa
  2. 建立CA目录

    make-cadir /etc/openvpn/easy-rsa

    or

    mkdir /etc/openvpn/easy-rsa

    cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa

  3. 配置CA变量

    export KEY_COUNTRY="CN"
    export KEY_PROVINCE="HK"
    export KEY_CITY="HongKong"
    export KEY_ORG="Pandll"
    export KEY_EMAIL="wayde@pandll.com"
    export KEY_OU="Pandll"
    
    # X509 Subject Field
    export KEY_NAME="PandllRSA"
    
  4. 制作CA证书

    1. source vars
    2. ./clean-all
    3. ./build-ca
  5. 制作服务端证书

    1. ./build-key-server PandllRSA
    2. ./build-dh
    3. openvpn --genkey --secret keys/ta.key
  6. 制作客户端证书

    ./build-key client-wayde-01
    ./build-key-pass client-wayde-02 #设置密码
    
  7. 配置openvpn服务器

    mkdir /etc/openvpn/config
    cp ca.crt ca.key PandllRSA.crt PandllRSA.key ta.key dh2048.pem /etc/openvpn/config
    cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/config/
    gzip -d server.conf.gz
    # 修改 /etc/openvpn/config/server.conf 文件
    mkdir -p /var/log/openvpn/
    
  8. 启动服务端

    /usr/sbin/openvpn --config /etc/openvpn/config/server.conf --daemon

    or

    systemctl start openvpn@server

    systemctl status openvpn@server

  9. 配置客户端

    sudo openvpn /etc/openvpn/config/client.conf > /dev/null &

    如果客户端证书设置了密码,则需要在client.conf中加入下列行,文件中存储密码

    askpass /etc/openvpn/config/private_key_password

  10. 客户端分配静态ip

    server.conf

    client-config-dir /etc/openvpn/config/ccd

    cat ccd/common_name

    ifconfig-push 172.10.11.26 172.10.11.27

安装oh-my-zsh

  1. 安装zsh

    sudo apt-get install -y zsh git

  2. 设置默认shell为zsh

    chsh -s /bin/zsh

    chsh -s $(which zsh)

    sudo usermod -s /bin/zsh username

  3. 安装oh-my-zsh

    sh -c "$(curl -fsSL https://raw.github.com/robbyrussell/oh-my-zsh/master/tools/install.sh)"
    

安装配置Nginx

  1. apt-get install -y build-essential libtool libpcre3 libpcre3-dev zlib1g-dev openssl
  2. wget http://nginx.org/download/nginx-1.12.2.tar.gz
  3. tar -xvf nginx-1.12.2.tar.gz -C nginx
  4. ./configure --prefix=/home/service/nginx
  5. make
  6. make install
  7. make clean
  8. sudo apt-get install -y nginx

安装LAMP环境

  1. sudo apt-get install -y apache2
  2. sudo apt-get install -y php
  3. sudo apt-get install -y libapache2-mod-php
  4. sudo /etc/init.d/apache2 restart
  5. sudo apt-get install -y mysql-server mysql-client
  6. sudo apt-get install -y libapache2-mod-php7.0 php7.0-mysql
  7. sudo apt-get install php7.0-gd php7.0-xml
  8. cd /etc/apache2/sites-enabled
  9. ln -s ../sites-available/site.conf ./
  10. cd /etc/apache2/mods-enabled
  11. ln -s ../mods-available/rewrite.load ./

恢复mysql数据库

$ mysql -u root -p

# 创建用户
create user pandll;

# 限制用户只允许本机登录
update mysql.user set Host="localhost" where User="pandll";

# 设置用户密码
update mysql.user set authentication_string = password('123456') where Host = 'localhost' and User = 'pandll';

# 显示存储引擎信息
show engines;

# 创建数据库设置字符集为utf-8
create database pandll default character set `utf8` collate `utf8_unicode_ci`;

# 用户授权
grant select,insert,update,delete on pandll.* to pandll@localhost;

# 切换数据库
use pandll;

# 刷新系统权限
flush privileges;

# 导入sql
source /home/wayde/backup.sql;

安装shadowsocks服务端

  1. apt-get update

  2. apt-get install -y python-pip

  3. sudo pip install shadowsocks

  4. server配置

    {
        "server":"172.31.24.51",
        "port_password":{
            "10001":"123456",
            "10002":"123456",
            "10003":"123456"
        },
        "timeout":300,
        "method":"rc4-md5",
        "fast_open":false,
        "workers":1
    }
    
  5. 启动server

    sudo ssserver -c /etc/shadowsocks/server.json -d start

  6. client配置

    {
        "server":"172.31.24.51",
        "server_port":10001,
        "local_address": "127.0.0.1",
        "local_port":8399,
        "password":"123456",
        "timeout":300,
        "method":"rc4-md5",
        "fast_open": false,
        "workers": 1
    }
    

搭建Hexo站点

  1. sudo apt-get install git

  2. sudo apt-get install nodejs npm

  3. sudo ln -s /usr/bin/nodejs /usr/bin/node

  4. sudo npm i -g hexo hexo-cli

  5. sudo adduser blog

  6. hexo init blog.pandll.com

  7. hexo server -p 10308

  8. 安装next主题

    1. git clone --branch v5.1.3 https://github.com/iissnan/hexo-theme-next themes/next
    2. git clone https://github.com/litten/hexo-theme-yilia.git themes/yilia
    3. git clone https://github.com/A-limon/pacman.git themes/pacman
  9. 安装hexo插件

    # 生成搜索引擎网站地图
    npm install hexo-generator-sitemap --save
    
    # 自动生成文章目录
    npm install hexo-toc --save
    
    # 固定链接
    npm install hexo-abbrlink --save
    
    # 在文章最末添加永久链接及版权声明
    npm install hexo-addlink --save
    
    # 本地搜索
    npm install hexo-generator-search --save
    
    # 更改首页为任意的页面
    npm install hexo-index-anything --save
    
    # 导航条
    npm install hexo-breadcrumb --save
    
    # 代码高亮
    npm install hexo-filter-highlight --save
    
    # 引用markdown文件
    npm install hexo-include-markdown --save
    
    # seo no follow
    npm install hexo-autonofollow --save
    
    # 文件压缩
    npm install hexo-all-minifier --save
    
    # 卸载插件
    npm uninstall hexo-breadcrumb
    

  10. 添加百度统计

    thems/next/_config.yml

    # Baidu Analytics ID
    baidu_analytics: 54fab7a6da470f69******8485845c02
    
  11. 添加disqus评论

    thems/next/_config.yml

    # Disqus
    disqus:
     enable: true
     shortname: pandll
     count: true
    
  12. 添加livere评论

    # Support for LiveRe comments system.
    # You can get your uid from https://livere.com/insight/myCode (General web site)
    livere_uid: MTAyMC8z******84OTYw
    
  13. 设置ico图标

    thems/next/_config.yml

    favicon:
      small: /images/pandll_16.png
      medium: /images/pandll_32.png
      apple_touch_icon: /images/pandll_180.png
      safari_pinned_tab: /images/pandll_512.svg
    

申请Let’s Encrypt免费证书

  1. sudo apt-get update

  2. sudo apt-get install software-properties-common

  3. sudo add-apt-repository ppa:certbot/certbot

  4. sudo apt-get update

  5. sudo apt-get install python-certbot-nginx

  6. sudo certbot --nginx

    $ sudo certbot --nginx                     
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator nginx, Installer nginx
    Enter email address (used for urgent renewal and security notices) (Enter 'c' to
    cancel): wayde@pandll.com
    
    -------------------------------------------------------------------------------
    Please read the Terms of Service at
    https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
    agree in order to register with the ACME server at
    https://acme-v01.api.letsencrypt.org/directory
    -------------------------------------------------------------------------------
    (A)gree/(C)ancel: A
    
    -------------------------------------------------------------------------------
    Would you be willing to share your email address with the Electronic Frontier
    Foundation, a founding partner of the Let\'s Encrypt project and the non-profit
    organization that develops Certbot? We\'d like to send you email about EFF and
    our work to encrypt the web, protect its users and defend digital rights.
    -------------------------------------------------------------------------------
    (Y)es/(N)o: Y
    
    Which names would you like to activate HTTPS for?
    -------------------------------------------------------------------------------
    1: blog.pandll.com
    -------------------------------------------------------------------------------
    Select the appropriate numbers separated by commas and/or spaces, or leave input
    blank to select all options shown (Enter 'c' to cancel): 1
    Obtaining a new certificate
    Performing the following challenges:
    tls-sni-01 challenge for blog.pandll.com
    Cleaning up challenges
    Deployed Certificate to VirtualHost /etc/nginx/sites-enabled/blog.pandll.com for set(['blog.pandll.com'])
    
    Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
    -------------------------------------------------------------------------------
    1: No redirect - Make no further changes to the webserver configuration.
    2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
    new sites, or if you\'re confident your site works on HTTPS. You can undo this
    change by editing your web server\'s configuration.
    -------------------------------------------------------------------------------
    Select the appropriate number [1-2] then [enter] (press 'c' to cancel): c
    
    -------------------------------------------------------------------------------
    Congratulations! You have successfully enabled https://blog.pandll.com
    
    You should test your configuration at:
    https://www.ssllabs.com/ssltest/analyze.html?d=blog.pandll.com
    -------------------------------------------------------------------------------
    
    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at:
       /etc/letsencrypt/live/pandll.com/fullchain.pem
       Your key file has been saved at:
       /etc/letsencrypt/live/pandll.com/privkey.pem
       Your cert will expire on 2018-03-12. To obtain a new or tweaked
       version of this certificate in the future, simply run certbot again
       with the "certonly" option. To non-interactively renew *all* of
       your certificates, run "certbot renew"
     - Your account credentials have been saved in your Certbot
       configuration directory at /etc/letsencrypt. You should make a
       secure backup of this folder now. This configuration directory will
       also contain certificates and private keys obtained by Certbot so
       making regular backups of this folder is ideal.
     - If you like Certbot, please consider supporting our work by:
    
       Donating to ISRG / Let\'s Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:                    https://eff.org/donate-le
    
    

  7. 新增站点

    sudo certbot --nginx certonly

  8. 续期证书

    测试续期命令

    sudo certbot renew --dry-run

    续期

    sudo certbot renew

    强制续期

    sudo certbot renew --force-renewal

遇到问题记录

  1. perl: warning: Setting locale failed.

    apt-get update

    apt-get install language-pack-zh-hans

  2. ssh: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key

    ssh-keygen -t dsa -f /etc/ssh/ssh_host_ed25519_key

  3. openvpn 客户端连接上,一直重启

    Connection reset, restarting [-1]

    将连接方式改为udp正常,怀疑跟gfw有关

  4. ubuntu apache2 : 403 forbidden

    ubuntu apache2配置文件错误

参考资料:
Ubuntu16.04搭建OpenVPN
Ubuntu 16.04搭建LAMP开发环境
MySQL——修改root密码的4种方法
mysql导入导出sql文件
Hexo文档
iissnan/hexo-theme-next
next主题、评论、阅读量统计和站内搜索
next主题的配置和优化
Nginx on Ubuntu 16.04 (xenial)
如何免费的让网站启用HTTPS