2017/09/17

和人月神話一樣, 經過 10 年後來看還是一樣的貼切

和人月神話一樣, 經過 10 年後來看還是一樣的貼切。 「你進入狀況後, 要繼續維持並不算太難. 我的一天通常都是這樣子的: (1) 上班 (2) 看信看網頁等等 (3) 決定應該吃過午飯後再做事 (4) 吃完午飯回來 (5) 看信看網頁...

巴克里貼上了 2017年9月14日

使用AWS EC2當OpenVPN Server

使用AWS EC2當OpenVPN Server

* 透過 AWS 設定 OpenVPN server
* 先看一下 EC2 價格 https://aws.amazon.com/tw/ec2/pricing/

* 首先去申請一台乾淨的 AWS EC2 server , 新使用者可以免費使用 750HR .

* 可以參考網路上的教學文章,把 OpenVPN 安裝設定好。
* How to Setup and Configure an OpenVPN Server on CentOS 6
https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-6

* 在 CentOS 6 架設 OpenVPN Server
http://jamyy.us.to/blog/2013/09/5220.html

* How To Set Up an OpenVPN Server on Ubuntu 16.04
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04

* 本人推薦官方的說明, 比較準確
https://help.ubuntu.com/lts/serverguide/openvpn.html

* 將設定檔及憑證全部設定在設定檔內 , 因為手機 IPHONE 才可安裝
https://community.openvpn.net/openvpn/wiki/IOSinline

* 設定主機的 NAT 轉換 IP , 讓 IP 有可以出去。
root@ip-172-31-10-225:~# cat fire.sh
# --------------------------------------------------------------
#!/bin/bash
# linux firewall rule sample
EXTIF="eth0"               # 這個是可以連上 Public IP 的網路介面
INNET="192.168.20.0/24"
export EXTIF INNET

# cleaner rule and set default
iptables -F
iptables -X
iptables -Z
iptables -P INPUT   ACCEPT
iptables -P OUTPUT  ACCEPT
iptables -P FORWARD ACCEPT

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# clean NAT table rule
iptables -F -t nat
iptables -X -t nat
iptables -Z -t nat
iptables -t nat -P PREROUTING  ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT      ACCEPT

# nat
iptables -t nat -A POSTROUTING -s $INNET -o $EXTIF -j MASQUERADE
iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1300:1536 -j TCPMSS --clamp-mss-to-pmtu
# --------------------------------------------------------------

* 設定好的這台主機, 可以跟 AWS 租用固定IP ,也可以使用 IP2DNS 寫入成為 DNS
* awsopenvpn.jangmt.com 這個是我的例子用的 domain name
* AWS 的設定請參考網路上的教學文件, 無法在這裡簡單的說明。

# OpenVPN 設定檔 server.conf
# --------------------------------------------------------------
root@ip-172-31-10-225:/etc/openvpn# grep -v "#" server.conf | grep -v '^$'| grep -v ';'
port 443
proto tcp
dev tun
ca ca.crt
cert server.crt
dh dh2048.pem
server 192.168.20.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
tls-auth ta.key 0
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
mode server
tls-server
#Enable multiple client to connect with same key
duplicate-cn
# --------------------------------------------------------------



# OpenVPN Client 端的 inline 設定檔案, IPHONE 可以使用
# --------------------------------------------------------------
# 參考: https://community.openvpn.net/openvpn/wiki/IOSinline
client
dev tun
remote awsopenvpn.jangmt.com 443
proto tcp
resolv-retry infinite
nobind
comp-lzo
mute 3
persist-key
persist-tun
ns-cert-type server
verb 3
#tls-client
#tls-auth ta.key 1
key-direction 1

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----


-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----


-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----


-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----

# --------------------------------------------------------------

* 使用 OpenVPN 最大的原因是 Iphone , MAC OS 新版的有支援, 且用了一陣子後,發現還滿好用的。

* OpenVPN 客戶端工具
https://openvpn.net/index.php/open-source/downloads.html

* Iphone OpenVPN
https://itunes.apple.com/tw/app/openvpn-connect/id590379981?mt=8



NGINX的status狀態

NGINX的status狀態

# 在 nginx config server 段加入

location /nginx_status {
# Turn on stats
stub_status on;
# only allow access from 192.168.1.5 #
allow 192.168.211.112;
deny all;
}




* Active connections 1:
目前連線數,包含 Waiting 量
* server accepts handled requests 20 20 12
第1個值是伺服器接受的連線數
第2個值是伺服器已經處理的連線數
第3個值則是伺服器已經處理的請求數
若將第3個數值除以第2個數值,就會得到平均每個連線的請求數
* Reading  正在讀取的請求數
* Writing  正在讀取主體、處理與回應的請求數
* Waiting  keep-alive 的連線數這個值跟 keepalive_timeout 有關


REF:
https://www.cyberciti.biz/faq/nginx-see-active-connections-connections-per-seconds/
https://blog.gtwang.org/linux/nginx-enable-stub_status-module-to-collect-metrics/

CENTOS7 安裝 NGINX 並請申請 Letsencrypt SSL憑證使用

CENTOS7 安裝 NGINX 並請申請 Letsencrypt SSL憑證使用

# 首先先看看網路上的教學安裝文章, 照著作把 nginx 安裝起來
https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-centos-7

# 然後安裝憑證, 這個 Letsencrypt 目前用程式安裝憑證
https://letsencrypt.org/



# 請依據制這裡的說明, 安裝程式及工具
https://certbot.eff.org/#centosrhel7-nginx



# 先把 domain FQDN 對應 IP 設定好
# 執行憑證申請及安裝, 因為 Letsencrypt 有縣市 IP 及 Domain 所以申請盡可能一次就成功。
# 依據說明執行
[root@dev letsencrypt]# certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: api.jangmt.com
2: dev.jangmt.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):2
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for dev.jangmt.com
Waiting for verification...
Cleaning up challenges
Cannot find a cert or key directive in /etc/nginx/conf.d/dev_jangmt_com.conf for set(['dev.jangmt.com']). VirtualHost was not modified.

IMPORTANT NOTES:
 - Unable to install the certificate
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/dev.jangmt.com/fullchain.pem. Your cert will
   expire on 2017-12-16. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again with the
   "certonly" option. To non-interactively renew *all* of your
   certificates, run "certbot renew"


# 失敗了, 因為還沒有設定好 cert or key directive  我們可以手動設定.
# 檢查一下 /etc/letsencrypt/ 應該有可以使用的憑證在 live 目錄內
[root@dev conf.d]# ls /etc/letsencrypt/ -la
total 20
drwxr-xr-x.   8 root root 4096 Sep 17 04:48 .
drwxr-xr-x. 143 root root 8192 Sep 17 05:03 ..
drwx------.   3 root root   49 Sep 17 04:03 accounts
drwx------.   4 root root   60 Sep 17 04:07 archive
drwxr-xr-x.   2 root root   72 Sep 17 04:07 csr
drwx------.   2 root root   72 Sep 17 04:07 keys
drwx------.   4 root root   60 Sep 17 04:07 live
-rw-r--r--.   1 root root  822 Sep 17 04:03 options-ssl-nginx.conf
drwxr-xr-x.   2 root root   70 Sep 17 04:07 renewal
 
 
# 然後設定一個初始的 NGINX 設定 /etc/nginx/conf.d/default.conf
# -----------------------------------------------------------
# http
server {
server_name _;
listen *:80 default_server deferred;
        # return 301 https://$server_name$request_uri;

        access_log  /var/log/nginx/access.log  main;
        error_log   /var/log/nginx/error.log warn;

        location / {
              root /usr/share/nginx/html;
              index  index.php index.html index.htm;
        }

        location ~ \.php$ {
                root           /usr/share/nginx/html;
                try_files $uri = 404;
                fastcgi_pass   127.0.0.1:9000;
                #fastcgi_pass unix:/var/opt/remi/php70/run/php-fpm/php-fpm.sock;
                fastcgi_index  index.php;
                fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
                include        /etc/nginx/fastcgi_params;
        }

        location ~ /\.ht {
                deny  all;
        }
}


# https
server {
       listen 443 ssl default_server;
       server_name _;

       ssl_certificate /etc/letsencrypt/live/dev.jangmt.com/cert.pem;
       ssl_certificate_key /etc/letsencrypt/live/dev.jangmt.com/privkey.pem;

       access_log  /var/log/nginx/access.log  main;
       error_log   /var/log/nginx/error.log warn;
       server_tokens off;

       location / {
             root /usr/share/nginx/html;
             index  index.php index.html index.htm;
       }

        location ~ \.php$ {
                root           /usr/share/nginx/html;
                try_files $uri = 404;
                fastcgi_pass   127.0.0.1:9000;
                #fastcgi_pass unix:/var/opt/remi/php70/run/php-fpm/php-fpm.sock;
                fastcgi_index  index.php;
                fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
                include        /etc/nginx/fastcgi_params;
        }

        location ~ /\.ht {
                deny  all;
        }

       #return 301 http://$server_name$request_uri;
}




# 然後, 就設定好了....XDXD
# 我知道跳過很多步驟, 因為我看得懂就好.
# 有錯誤隨時檢查 /var/log/nginx/error.log 紀錄檔
[root@dev conf.d]# tail /var/log/nginx/error.log
2017/09/17 05:06:08 [error] 4159#0: *11 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 59.127.16.209, server: 0.0.0.0:443
2017/09/17 05:06:09 [error] 4159#0: *12 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 59.127.16.209, server: 0.0.0.0:443

# 上面這個錯誤, 是我憑證沒有設定好造成的.
基本上如果有多個網站在同一個 NGINX 上的時候, default site conf 要先設定好, 才可以正常工作.
# Good Luck !!