战狼云操作记录

去年买的阿里云轻量到期了，新人用户60块买的一年，现在续费要这么多？地主家也没有余粮了啊😥

阿里云轻量续费价格

阿里云是用不起了，看到腾讯云的轻量新客价也就一百，果断买了，然后搭了docker，开了smartdns+adguardhome，刚用一天美滋滋，然后就

53端口警告⚠

然后我就试下，把服务的端口改成别的，但是别的设备他就是认准53端口没法改啊💔

so。。。

退钱！

如果退款快算优点的话，那腾讯云还是不错的

然后看到战狼云的宣传，港服ECS买一个月送同款一年，还是有点欺骗性的，需要在规定时间内手动去领这个一年的服务器，不然就是108买个月抛小鸡😡（实际上买的一个月的ip奇慢无比，送的一年的却很快，战狼云你在干神魔？）

然后言归正传

基本设置

战狼云是新建ECS后需要重置密码的，默认就是root账号，然后 useradd -m -g 0 pos2，设置密码，然后修改 /etc/passwd，pos2:x:1000:0::/home/pos2:/bin/bash，再在 /etc/sudoers新增 pos2 ALL=(ALL:ALL) ALL，最后修改 /etc/ssh/sshd_config, 改PermitRootLogin no，阻止root登录，就差不多了

安装docker

简单抄一下官网流程

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25


# Update the apt package index and install packages to allow apt to use a repository over HTTPS
sudo apt-get update
sudo apt-get install \
    ca-certificates \
    curl \
    gnupg \
    lsb-release

# Add Docker’s official GPG key:
sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg

# Use the following command to set up the repository:
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

# Update the apt package index:
sudo apt-get update

# To install the latest version, run:
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugin

# Verify that the Docker Engine installation is successful by running the hello-world image:
sudo docker run hello-world

开启 `smartdns`+ `adguardhome`

切换到root用户，新建一个网卡 docker network create --subnet=172.172.0.0/24 docker-br0

这个时候53端口是被systemd-resolved占用的，运行netstat -tlunp | grep 53可以看到，就要把它关掉，同时不影响本身的dns解析

停用`systemd-resolved`

systemctl stop systemd-resolved

修改 /etc/systemd/resolved.conf

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


[Resolve]
DNS=8.8.8.8 指定google解析服务
#FallbackDNS=
#Domains=
#LLMNR=no
#MulticastDNS=no
#DNSSEC=no
#DNSOverTLS=no
#Cache=no-negative
DNSStubListener=no 这里不改为no，重启就又占用53了
#ReadEtcHosts=yes

软链

ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

这时候53端口就空出来了，然后docker开启容器

1
2
3


docker run --net docker-br0 --ip 172.172.0.2 --name adguardhome -v /home/adguardhome/work:/opt/adguardhome/work -v  /home/adguardhome/conf:/opt/adguardhome/conf -p 53:53/tcp -p 53:53/udp -p 67:67/udp -p 853:853/tcp -p 3000:3000/tcp --restart=always -d adguard/adguardhome

docker run -d -p 6053:53/udp --restart=always --net docker-br0 --ip 172.172.0.3 --name gsmartdns -v ~/.gsmartdns:/smartdns ghostry/smartdns

服务器要开启3000端口入站权限，然后打开http://ip:3000就能设置adguardhome了，上有服务器设置为172.172.0.3（就是smartdns的网卡内ip），smartdns默认配好了主流的dns上游，不需要特别配置

安装nginx

只要确保80端口没被占用就行了

1
2
3
4
5


sudo apt update

sudo apt install nginx

sudo systemctl status nginx

以前没注意一个点，/etc/nginx/nginx.conf里面有一行include /etc/nginx/sites-enabled/*;，把全部域名配置都丢到这个文件，又臭又长是不太好的，正确的做法应该在 **/etc/nginx/sites-availavle/**中新增配置文件，然后软链接到 **/etc/nginx/sites-enabled/**中

1
2
3
4


vim /etc/nginx/sites-available/bark
ln -s /etc/nginx/sites-available/bark /etc/nginx/sites-enabled/bark # 软链接要写全路径，相对路径太坑了
nginx -t
nginx -s reload

这里bark是一个短信转发服务，配置如下

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51


server {
    listen 80;
    server_name bark.wdnmd.love;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    # Replace bark.app.dev with your real domain name.
    server_name bark.wdnmd.love;

    ssl_certificate /home/pos2/wdnmd_ca/bark.pem;
    ssl_certificate_key /home/pos2/wdnmd_ca/bark.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    # modern configuration
    ssl_protocols TLSv1.3;
    ssl_prefer_server_ciphers off;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;

    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /home/pos2/wdnmd_ca/origin_ca_rsa_root.pem;

    # replace with the IP address of your resolver
    #resolver 127.0.0.1;

    location / {

        log_not_found on;
        # Replace http://192.168.1.123:8080 with the listening address of the bark server.
        proxy_pass http://127.0.0.1:3456;

        proxy_read_timeout 300;
        proxy_connect_timeout 300;
        proxy_redirect off;

        proxy_set_header Host              $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP         $remote_addr;

    }
}

有两点好坑

ssl_trusted_certificate 我之前不知道这是什么证书，查了好久资料，然后在这里下了一个ECC版的PEM文件，传到服务器配置好，然后nginx -t的时候就会报这个错 nginx: [warn] "ssl_stapling" ignored, issuer certificate not found for certificate "/home/pos2/wdnmd_ca/wdnmd.pem" 换了RSA版的PEM文件就验证通过了，原来是上面申请的CA证书就是RSA加密的，应该是要格式一致吧
很莫名其妙一个错误，bark的nginx配置照着作者抄了，还是说证书验证不通过，非https，可是我就是复用的跟别的域名一样的证书，别的域名能用这个域名就不能用？我就重新申请了一个证书，配了上去，然后就成功了。。。至今不理解是为什么🙉

最后贴一个反代谷歌的配置吧

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55


upstream www.google.com {

    #中国香港 google.com
    server 216.58.221.68:443 weight=6;
    #中国台湾 google.com
    server 74.125.23.99:443 weight=5;
    #日本东京都东京 google.com
    server 172.217.25.68:443 weight=4;
    #日本东京都东京 google.com
    server 216.58.200.196:443 weight=4;
    #日本大阪府大阪 google.com
    server 216.58.197.4:443 weight=3;
    #新加坡 google.com
    server 74.125.130.147:443 weight=2;
    server 172.217.11.164:443 weight=1;
}


 server {
                listen 80;
                listen [::]:80;
                server_name google.wdnmd.love;
                return 301 https://google.wdnmd.love$request_uri;
        }


        server {
                listen 443 ssl http2;
                listen [::]:443 ssl http2;
                server_name google.wdnmd.love;
                ssl_certificate       /home/pos2/wdnmd_ca/wdnmd.pem;  # 证书目录
                ssl_certificate_key   /home/pos2/wdnmd_ca/wdnmd.key; # 证书目录

    resolver 8.8.8.8 1.1.1.1 valid=60s;
    resolver_timeout 60s;
    location / {
            proxy_pass                          https://www.google.com;
            proxy_redirect                      off;
            proxy_cache one;
            proxy_cache_valid  200 302 1h;
            proxy_cache_valid  404 1m;
            sub_filter                          www.google.com google.wdnmd.love;
            sub_filter_once                     off;
            proxy_set_header  Host              "www.google.com";
            proxy_set_header  Referer           $http_referer;
            proxy_set_header  X-Real-IP         $remote_addr;
            proxy_set_header  User-Agent        $http_user_agent;
            proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
            proxy_set_header  X-Forwarded-Proto https;
            proxy_set_header  Accept-Encoding   "";
            proxy_set_header  Accept-Language   "zh-CN";
            proxy_cookie_domain                 www.google.com google.wdnmd.love;
            proxy_set_header  Cookie            "PREF=ID=047808f19f6de346:U=0f62f33dd8549d11:FF=2:LD=en-US:NW=1:TM=1325338577:LM=1332142444:GM=1:SG=2:S=rE0SyJh2W1IQ-Maw";
        }
}

战狼云真不错