和人月神話一樣, 經過 10 年後來看還是一樣的貼切。 「你進入狀況後, 要繼續維持並不算太難. 我的一天通常都是這樣子的: (1) 上班 (2) 看信看網頁等等 (3) 決定應該吃過午飯後再做事 (4) 吃完午飯回來 (5) 看信看網頁...
由巴克里貼上了 2017年9月14日
2017/09/17
和人月神話一樣, 經過 10 年後來看還是一樣的貼切
使用AWS EC2當OpenVPN Server
使用AWS EC2當OpenVPN Server
* 透過 AWS 設定 OpenVPN server
* 先看一下 EC2 價格 https://aws.amazon.com/tw/ec2/pricing/
* 首先去申請一台乾淨的 AWS EC2 server , 新使用者可以免費使用 750HR .
* 可以參考網路上的教學文章,把 OpenVPN 安裝設定好。
* How to Setup and Configure an OpenVPN Server on CentOS 6
https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-6
* 在 CentOS 6 架設 OpenVPN Server
http://jamyy.us.to/blog/2013/09/5220.html
* How To Set Up an OpenVPN Server on Ubuntu 16.04
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04
* 本人推薦官方的說明, 比較準確
https://help.ubuntu.com/lts/serverguide/openvpn.html
* 將設定檔及憑證全部設定在設定檔內 , 因為手機 IPHONE 才可安裝
https://community.openvpn.net/openvpn/wiki/IOSinline
* 設定主機的 NAT 轉換 IP , 讓 IP 有可以出去。
root@ip-172-31-10-225:~# cat fire.sh
# --------------------------------------------------------------
#!/bin/bash
# linux firewall rule sample
EXTIF="eth0" # 這個是可以連上 Public IP 的網路介面
INNET="192.168.20.0/24"
export EXTIF INNET
# cleaner rule and set default
iptables -F
iptables -X
iptables -Z
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# clean NAT table rule
iptables -F -t nat
iptables -X -t nat
iptables -Z -t nat
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
# nat
iptables -t nat -A POSTROUTING -s $INNET -o $EXTIF -j MASQUERADE
iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1300:1536 -j TCPMSS --clamp-mss-to-pmtu
# --------------------------------------------------------------
* 設定好的這台主機, 可以跟 AWS 租用固定IP ,也可以使用 IP2DNS 寫入成為 DNS
* awsopenvpn.jangmt.com 這個是我的例子用的 domain name
* AWS 的設定請參考網路上的教學文件, 無法在這裡簡單的說明。
# OpenVPN 設定檔 server.conf
# --------------------------------------------------------------
root@ip-172-31-10-225:/etc/openvpn# grep -v "#" server.conf | grep -v '^$'| grep -v ';'
port 443
proto tcp
dev tun
ca ca.crt
cert server.crt
dh dh2048.pem
server 192.168.20.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
tls-auth ta.key 0
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
mode server
tls-server
#Enable multiple client to connect with same key
duplicate-cn
# --------------------------------------------------------------
# OpenVPN Client 端的 inline 設定檔案, IPHONE 可以使用
# --------------------------------------------------------------
# 參考: https://community.openvpn.net/openvpn/wiki/IOSinline
client
dev tun
remote awsopenvpn.jangmt.com 443
proto tcp
resolv-retry infinite
nobind
comp-lzo
mute 3
persist-key
persist-tun
ns-cert-type server
verb 3
#tls-client
#tls-auth ta.key 1
key-direction 1
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
# --------------------------------------------------------------
* 使用 OpenVPN 最大的原因是 Iphone , MAC OS 新版的有支援, 且用了一陣子後,發現還滿好用的。
* OpenVPN 客戶端工具
https://openvpn.net/index.php/open-source/downloads.html
* Iphone OpenVPN
https://itunes.apple.com/tw/app/openvpn-connect/id590379981?mt=8
* 透過 AWS 設定 OpenVPN server
* 先看一下 EC2 價格 https://aws.amazon.com/tw/ec2/pricing/
* 首先去申請一台乾淨的 AWS EC2 server , 新使用者可以免費使用 750HR .
* 可以參考網路上的教學文章,把 OpenVPN 安裝設定好。
* How to Setup and Configure an OpenVPN Server on CentOS 6
https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-6
* 在 CentOS 6 架設 OpenVPN Server
http://jamyy.us.to/blog/2013/09/5220.html
* How To Set Up an OpenVPN Server on Ubuntu 16.04
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04
* 本人推薦官方的說明, 比較準確
https://help.ubuntu.com/lts/serverguide/openvpn.html
* 將設定檔及憑證全部設定在設定檔內 , 因為手機 IPHONE 才可安裝
https://community.openvpn.net/openvpn/wiki/IOSinline
* 設定主機的 NAT 轉換 IP , 讓 IP 有可以出去。
root@ip-172-31-10-225:~# cat fire.sh
# --------------------------------------------------------------
#!/bin/bash
# linux firewall rule sample
EXTIF="eth0" # 這個是可以連上 Public IP 的網路介面
INNET="192.168.20.0/24"
export EXTIF INNET
# cleaner rule and set default
iptables -F
iptables -X
iptables -Z
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# clean NAT table rule
iptables -F -t nat
iptables -X -t nat
iptables -Z -t nat
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
# nat
iptables -t nat -A POSTROUTING -s $INNET -o $EXTIF -j MASQUERADE
iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1300:1536 -j TCPMSS --clamp-mss-to-pmtu
# --------------------------------------------------------------
* 設定好的這台主機, 可以跟 AWS 租用固定IP ,也可以使用 IP2DNS 寫入成為 DNS
* awsopenvpn.jangmt.com 這個是我的例子用的 domain name
* AWS 的設定請參考網路上的教學文件, 無法在這裡簡單的說明。
# OpenVPN 設定檔 server.conf
# --------------------------------------------------------------
root@ip-172-31-10-225:/etc/openvpn# grep -v "#" server.conf | grep -v '^$'| grep -v ';'
port 443
proto tcp
dev tun
ca ca.crt
cert server.crt
dh dh2048.pem
server 192.168.20.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
tls-auth ta.key 0
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
mode server
tls-server
#Enable multiple client to connect with same key
duplicate-cn
# --------------------------------------------------------------
# OpenVPN Client 端的 inline 設定檔案, IPHONE 可以使用
# --------------------------------------------------------------
# 參考: https://community.openvpn.net/openvpn/wiki/IOSinline
client
dev tun
remote awsopenvpn.jangmt.com 443
proto tcp
resolv-retry infinite
nobind
comp-lzo
mute 3
persist-key
persist-tun
ns-cert-type server
verb 3
#tls-client
#tls-auth ta.key 1
key-direction 1
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
# --------------------------------------------------------------
* 使用 OpenVPN 最大的原因是 Iphone , MAC OS 新版的有支援, 且用了一陣子後,發現還滿好用的。
* OpenVPN 客戶端工具
https://openvpn.net/index.php/open-source/downloads.html
* Iphone OpenVPN
https://itunes.apple.com/tw/app/openvpn-connect/id590379981?mt=8
NGINX的status狀態
NGINX的status狀態
# 在 nginx config server 段加入
location /nginx_status {
# Turn on stats
stub_status on;
# only allow access from 192.168.1.5 #
allow 192.168.211.112;
deny all;
}
* Active connections 1:
目前連線數,包含 Waiting 量
* server accepts handled requests 20 20 12
第1個值是伺服器接受的連線數
第2個值是伺服器已經處理的連線數
第3個值則是伺服器已經處理的請求數
若將第3個數值除以第2個數值,就會得到平均每個連線的請求數
* Reading 正在讀取的請求數
* Writing 正在讀取主體、處理與回應的請求數
* Waiting keep-alive 的連線數這個值跟 keepalive_timeout 有關
REF:
https://www.cyberciti.biz/faq/nginx-see-active-connections-connections-per-seconds/
https://blog.gtwang.org/linux/nginx-enable-stub_status-module-to-collect-metrics/
# 在 nginx config server 段加入
location /nginx_status {
# Turn on stats
stub_status on;
# only allow access from 192.168.1.5 #
allow 192.168.211.112;
deny all;
}
* Active connections 1:
目前連線數,包含 Waiting 量
* server accepts handled requests 20 20 12
第1個值是伺服器接受的連線數
第2個值是伺服器已經處理的連線數
第3個值則是伺服器已經處理的請求數
若將第3個數值除以第2個數值,就會得到平均每個連線的請求數
* Reading 正在讀取的請求數
* Writing 正在讀取主體、處理與回應的請求數
* Waiting keep-alive 的連線數這個值跟 keepalive_timeout 有關
REF:
https://www.cyberciti.biz/faq/nginx-see-active-connections-connections-per-seconds/
https://blog.gtwang.org/linux/nginx-enable-stub_status-module-to-collect-metrics/
CENTOS7 安裝 NGINX 並請申請 Letsencrypt SSL憑證使用
CENTOS7 安裝 NGINX 並請申請 Letsencrypt SSL憑證使用
# 首先先看看網路上的教學安裝文章, 照著作把 nginx 安裝起來
https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-centos-7
# 然後安裝憑證, 這個 Letsencrypt 目前用程式安裝憑證
https://letsencrypt.org/
# 請依據制這裡的說明, 安裝程式及工具
https://certbot.eff.org/#centosrhel7-nginx
# 先把 domain FQDN 對應 IP 設定好
# 執行憑證申請及安裝, 因為 Letsencrypt 有縣市 IP 及 Domain 所以申請盡可能一次就成功。
# 依據說明執行
[root@dev letsencrypt]# certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: api.jangmt.com
2: dev.jangmt.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):2
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for dev.jangmt.com
Waiting for verification...
Cleaning up challenges
Cannot find a cert or key directive in /etc/nginx/conf.d/dev_jangmt_com.conf for set(['dev.jangmt.com']). VirtualHost was not modified.
IMPORTANT NOTES:
- Unable to install the certificate
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/dev.jangmt.com/fullchain.pem. Your cert will
expire on 2017-12-16. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again with the
"certonly" option. To non-interactively renew *all* of your
certificates, run "certbot renew"
# 失敗了, 因為還沒有設定好 cert or key directive 我們可以手動設定.
# 檢查一下 /etc/letsencrypt/ 應該有可以使用的憑證在 live 目錄內
[root@dev conf.d]# ls /etc/letsencrypt/ -la
total 20
drwxr-xr-x. 8 root root 4096 Sep 17 04:48 .
drwxr-xr-x. 143 root root 8192 Sep 17 05:03 ..
drwx------. 3 root root 49 Sep 17 04:03 accounts
drwx------. 4 root root 60 Sep 17 04:07 archive
drwxr-xr-x. 2 root root 72 Sep 17 04:07 csr
drwx------. 2 root root 72 Sep 17 04:07 keys
drwx------. 4 root root 60 Sep 17 04:07 live
-rw-r--r--. 1 root root 822 Sep 17 04:03 options-ssl-nginx.conf
drwxr-xr-x. 2 root root 70 Sep 17 04:07 renewal
# 然後設定一個初始的 NGINX 設定 /etc/nginx/conf.d/default.conf
# -----------------------------------------------------------
# http
server {
server_name _;
listen *:80 default_server deferred;
# return 301 https://$server_name$request_uri;
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log warn;
location / {
root /usr/share/nginx/html;
index index.php index.html index.htm;
}
location ~ \.php$ {
root /usr/share/nginx/html;
try_files $uri = 404;
fastcgi_pass 127.0.0.1:9000;
#fastcgi_pass unix:/var/opt/remi/php70/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
}
location ~ /\.ht {
deny all;
}
}
# https
server {
listen 443 ssl default_server;
server_name _;
ssl_certificate /etc/letsencrypt/live/dev.jangmt.com/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/dev.jangmt.com/privkey.pem;
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log warn;
server_tokens off;
location / {
root /usr/share/nginx/html;
index index.php index.html index.htm;
}
location ~ \.php$ {
root /usr/share/nginx/html;
try_files $uri = 404;
fastcgi_pass 127.0.0.1:9000;
#fastcgi_pass unix:/var/opt/remi/php70/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
}
location ~ /\.ht {
deny all;
}
#return 301 http://$server_name$request_uri;
}
# 然後, 就設定好了....XDXD
# 我知道跳過很多步驟, 因為我看得懂就好.
# 有錯誤隨時檢查 /var/log/nginx/error.log 紀錄檔
[root@dev conf.d]# tail /var/log/nginx/error.log
2017/09/17 05:06:08 [error] 4159#0: *11 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 59.127.16.209, server: 0.0.0.0:443
2017/09/17 05:06:09 [error] 4159#0: *12 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 59.127.16.209, server: 0.0.0.0:443
# 上面這個錯誤, 是我憑證沒有設定好造成的.
基本上如果有多個網站在同一個 NGINX 上的時候, default site conf 要先設定好, 才可以正常工作.
# Good Luck !!
# 首先先看看網路上的教學安裝文章, 照著作把 nginx 安裝起來
https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-centos-7
# 然後安裝憑證, 這個 Letsencrypt 目前用程式安裝憑證
https://letsencrypt.org/
# 請依據制這裡的說明, 安裝程式及工具
https://certbot.eff.org/#centosrhel7-nginx
# 先把 domain FQDN 對應 IP 設定好
# 執行憑證申請及安裝, 因為 Letsencrypt 有縣市 IP 及 Domain 所以申請盡可能一次就成功。
# 依據說明執行
[root@dev letsencrypt]# certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: api.jangmt.com
2: dev.jangmt.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):2
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for dev.jangmt.com
Waiting for verification...
Cleaning up challenges
Cannot find a cert or key directive in /etc/nginx/conf.d/dev_jangmt_com.conf for set(['dev.jangmt.com']). VirtualHost was not modified.
IMPORTANT NOTES:
- Unable to install the certificate
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/dev.jangmt.com/fullchain.pem. Your cert will
expire on 2017-12-16. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again with the
"certonly" option. To non-interactively renew *all* of your
certificates, run "certbot renew"
# 失敗了, 因為還沒有設定好 cert or key directive 我們可以手動設定.
# 檢查一下 /etc/letsencrypt/ 應該有可以使用的憑證在 live 目錄內
[root@dev conf.d]# ls /etc/letsencrypt/ -la
total 20
drwxr-xr-x. 8 root root 4096 Sep 17 04:48 .
drwxr-xr-x. 143 root root 8192 Sep 17 05:03 ..
drwx------. 3 root root 49 Sep 17 04:03 accounts
drwx------. 4 root root 60 Sep 17 04:07 archive
drwxr-xr-x. 2 root root 72 Sep 17 04:07 csr
drwx------. 2 root root 72 Sep 17 04:07 keys
drwx------. 4 root root 60 Sep 17 04:07 live
-rw-r--r--. 1 root root 822 Sep 17 04:03 options-ssl-nginx.conf
drwxr-xr-x. 2 root root 70 Sep 17 04:07 renewal
# 然後設定一個初始的 NGINX 設定 /etc/nginx/conf.d/default.conf
# -----------------------------------------------------------
# http
server {
server_name _;
listen *:80 default_server deferred;
# return 301 https://$server_name$request_uri;
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log warn;
location / {
root /usr/share/nginx/html;
index index.php index.html index.htm;
}
location ~ \.php$ {
root /usr/share/nginx/html;
try_files $uri = 404;
fastcgi_pass 127.0.0.1:9000;
#fastcgi_pass unix:/var/opt/remi/php70/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
}
location ~ /\.ht {
deny all;
}
}
# https
server {
listen 443 ssl default_server;
server_name _;
ssl_certificate /etc/letsencrypt/live/dev.jangmt.com/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/dev.jangmt.com/privkey.pem;
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log warn;
server_tokens off;
location / {
root /usr/share/nginx/html;
index index.php index.html index.htm;
}
location ~ \.php$ {
root /usr/share/nginx/html;
try_files $uri = 404;
fastcgi_pass 127.0.0.1:9000;
#fastcgi_pass unix:/var/opt/remi/php70/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
}
location ~ /\.ht {
deny all;
}
#return 301 http://$server_name$request_uri;
}
# 然後, 就設定好了....XDXD
# 我知道跳過很多步驟, 因為我看得懂就好.
# 有錯誤隨時檢查 /var/log/nginx/error.log 紀錄檔
[root@dev conf.d]# tail /var/log/nginx/error.log
2017/09/17 05:06:08 [error] 4159#0: *11 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 59.127.16.209, server: 0.0.0.0:443
2017/09/17 05:06:09 [error] 4159#0: *12 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 59.127.16.209, server: 0.0.0.0:443
# 上面這個錯誤, 是我憑證沒有設定好造成的.
基本上如果有多個網站在同一個 NGINX 上的時候, default site conf 要先設定好, 才可以正常工作.
# Good Luck !!