├── LICENSE ├── README.md ├── TEWA-500G 电信光猫破解.md ├── 为 openwrt 和 ddwrt (r6300v2, ac68u) 编译可执行文件.md ├── 使用 sniproxy + dnsmasq + nginx 访问互联网.md ├── 使用nginx及butterfly搭建网页终端.md ├── 使用nginx反向代理telegram网页客户端(单域名).md ├── 使用nginx反向代理telegram网页客户端(多域名方式,较复杂已弃用).md ├── 安装nghttp2 https代理.md ├── 快速搭建nghttp2 https代理.md ├── 搭建谷歌和维基百科反向代理.md ├── 缩小kvm磁盘分区.md └── 通过haproxy为http,ss监听同一端口.md /LICENSE: -------------------------------------------------------------------------------- 1 | CC0 1.0 Universal 2 | 3 | Statement of Purpose 4 | 5 | The laws of most jurisdictions throughout the world automatically confer 6 | exclusive Copyright and Related Rights (defined below) upon the creator and 7 | subsequent owner(s) (each and all, an "owner") of an original work of 8 | authorship and/or a database (each, a "Work"). 9 | 10 | Certain owners wish to permanently relinquish those rights to a Work for the 11 | purpose of contributing to a commons of creative, cultural and scientific 12 | works ("Commons") that the public can reliably and without fear of later 13 | claims of infringement build upon, modify, incorporate in other works, reuse 14 | and redistribute as freely as possible in any form whatsoever and for any 15 | purposes, including without limitation commercial purposes. These owners may 16 | contribute to the Commons to promote the ideal of a free culture and the 17 | further production of creative, cultural and scientific works, or to gain 18 | reputation or greater distribution for their Work in part through the use and 19 | efforts of others. 20 | 21 | For these and/or other purposes and motivations, and without any expectation 22 | of additional consideration or compensation, the person associating CC0 with a 23 | Work (the "Affirmer"), to the extent that he or she is an owner of Copyright 24 | and Related Rights in the Work, voluntarily elects to apply CC0 to the Work 25 | and publicly distribute the Work under its terms, with knowledge of his or her 26 | Copyright and Related Rights in the Work and the meaning and intended legal 27 | effect of CC0 on those rights. 28 | 29 | 1. Copyright and Related Rights. A Work made available under CC0 may be 30 | protected by copyright and related or neighboring rights ("Copyright and 31 | Related Rights"). Copyright and Related Rights include, but are not limited 32 | to, the following: 33 | 34 | i. the right to reproduce, adapt, distribute, perform, display, communicate, 35 | and translate a Work; 36 | 37 | ii. moral rights retained by the original author(s) and/or performer(s); 38 | 39 | iii. publicity and privacy rights pertaining to a person's image or likeness 40 | depicted in a Work; 41 | 42 | iv. rights protecting against unfair competition in regards to a Work, 43 | subject to the limitations in paragraph 4(a), below; 44 | 45 | v. rights protecting the extraction, dissemination, use and reuse of data in 46 | a Work; 47 | 48 | vi. database rights (such as those arising under Directive 96/9/EC of the 49 | European Parliament and of the Council of 11 March 1996 on the legal 50 | protection of databases, and under any national implementation thereof, 51 | including any amended or successor version of such directive); and 52 | 53 | vii. other similar, equivalent or corresponding rights throughout the world 54 | based on applicable law or treaty, and any national implementations thereof. 55 | 56 | 2. Waiver. To the greatest extent permitted by, but not in contravention of, 57 | applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and 58 | unconditionally waives, abandons, and surrenders all of Affirmer's Copyright 59 | and Related Rights and associated claims and causes of action, whether now 60 | known or unknown (including existing as well as future claims and causes of 61 | action), in the Work (i) in all territories worldwide, (ii) for the maximum 62 | duration provided by applicable law or treaty (including future time 63 | extensions), (iii) in any current or future medium and for any number of 64 | copies, and (iv) for any purpose whatsoever, including without limitation 65 | commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes 66 | the Waiver for the benefit of each member of the public at large and to the 67 | detriment of Affirmer's heirs and successors, fully intending that such Waiver 68 | shall not be subject to revocation, rescission, cancellation, termination, or 69 | any other legal or equitable action to disrupt the quiet enjoyment of the Work 70 | by the public as contemplated by Affirmer's express Statement of Purpose. 71 | 72 | 3. Public License Fallback. Should any part of the Waiver for any reason be 73 | judged legally invalid or ineffective under applicable law, then the Waiver 74 | shall be preserved to the maximum extent permitted taking into account 75 | Affirmer's express Statement of Purpose. In addition, to the extent the Waiver 76 | is so judged Affirmer hereby grants to each affected person a royalty-free, 77 | non transferable, non sublicensable, non exclusive, irrevocable and 78 | unconditional license to exercise Affirmer's Copyright and Related Rights in 79 | the Work (i) in all territories worldwide, (ii) for the maximum duration 80 | provided by applicable law or treaty (including future time extensions), (iii) 81 | in any current or future medium and for any number of copies, and (iv) for any 82 | purpose whatsoever, including without limitation commercial, advertising or 83 | promotional purposes (the "License"). The License shall be deemed effective as 84 | of the date CC0 was applied by Affirmer to the Work. Should any part of the 85 | License for any reason be judged legally invalid or ineffective under 86 | applicable law, such partial invalidity or ineffectiveness shall not 87 | invalidate the remainder of the License, and in such case Affirmer hereby 88 | affirms that he or she will not (i) exercise any of his or her remaining 89 | Copyright and Related Rights in the Work or (ii) assert any associated claims 90 | and causes of action with respect to the Work, in either case contrary to 91 | Affirmer's express Statement of Purpose. 92 | 93 | 4. Limitations and Disclaimers. 94 | 95 | a. No trademark or patent rights held by Affirmer are waived, abandoned, 96 | surrendered, licensed or otherwise affected by this document. 97 | 98 | b. Affirmer offers the Work as-is and makes no representations or warranties 99 | of any kind concerning the Work, express, implied, statutory or otherwise, 100 | including without limitation warranties of title, merchantability, fitness 101 | for a particular purpose, non infringement, or the absence of latent or 102 | other defects, accuracy, or the present or absence of errors, whether or not 103 | discoverable, all to the greatest extent permissible under applicable law. 104 | 105 | c. Affirmer disclaims responsibility for clearing rights of other persons 106 | that may apply to the Work or any use thereof, including without limitation 107 | any person's Copyright and Related Rights in the Work. Further, Affirmer 108 | disclaims responsibility for obtaining any necessary consents, permissions 109 | or other rights required for any use of the Work. 110 | 111 | d. Affirmer understands and acknowledges that Creative Commons is not a 112 | party to this document and has no duty or obligation with respect to this 113 | CC0 or use of the Work. 114 | 115 | For more information, please see 116 | 117 | 118 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # docs 2 | 3 | * [使用nginx反向代理telegram网页客户端(单域名)](https://github.com/freedocs/docs/blob/master/%E4%BD%BF%E7%94%A8nginx%E5%8F%8D%E5%90%91%E4%BB%A3%E7%90%86telegram%E7%BD%91%E9%A1%B5%E5%AE%A2%E6%88%B7%E7%AB%AF(%E5%8D%95%E5%9F%9F%E5%90%8D).md) 4 | * [安装nghttp2 https代理](https://github.com/freedocs/docs/blob/master/%E5%AE%89%E8%A3%85nghttp2%20https%E4%BB%A3%E7%90%86.md) 5 | * [快速搭建nghttp2 https代理](https://github.com/freedocs/docs/blob/master/%E5%BF%AB%E9%80%9F%E6%90%AD%E5%BB%BAnghttp2%20https%E4%BB%A3%E7%90%86.md) 6 | * [使用 sniproxy + dnsmasq + nginx 访问互联网](https://github.com/freedocs/docs/blob/master/%E4%BD%BF%E7%94%A8%20sniproxy%20%2B%20dnsmasq%20%2B%20nginx%20%E8%AE%BF%E9%97%AE%E4%BA%92%E8%81%94%E7%BD%91.md) 7 | * [使用nginx及butterfly搭建网页终端](https://github.com/freedocs/docs/blob/master/%E4%BD%BF%E7%94%A8nginx%E5%8F%8Abutterfly%E6%90%AD%E5%BB%BA%E7%BD%91%E9%A1%B5%E7%BB%88%E7%AB%AF.md) 8 | * [通过haproxy为http,ss监听同一端口](https://github.com/freedocs/docs/blob/master/%E9%80%9A%E8%BF%87haproxy%E4%B8%BAhttp%2Css%E7%9B%91%E5%90%AC%E5%90%8C%E4%B8%80%E7%AB%AF%E5%8F%A3.md) 9 | * [为 openwrt 和 ddwrt (r6300v2, ac68u) 编译可执行文件](https://github.com/freedocs/docs/blob/master/%E4%B8%BA%20openwrt%20%E5%92%8C%20ddwrt%20(r6300v2%EF%BC%8C%20ac68u)%20%E7%BC%96%E8%AF%91%E5%8F%AF%E6%89%A7%E8%A1%8C%E6%96%87%E4%BB%B6.md) 10 | * [搭建谷歌和维基百科反向代理](https://github.com/freedocs/docs/blob/master/%E6%90%AD%E5%BB%BA%E8%B0%B7%E6%AD%8C%E5%92%8C%E7%BB%B4%E5%9F%BA%E7%99%BE%E7%A7%91%E5%8F%8D%E5%90%91%E4%BB%A3%E7%90%86.md) 11 | * [缩小kvm磁盘分区](https://github.com/freedocs/docs/blob/master/%E7%BC%A9%E5%B0%8Fkvm%E7%A3%81%E7%9B%98%E5%88%86%E5%8C%BA.md) 12 | -------------------------------------------------------------------------------- /TEWA-500G 电信光猫破解.md: -------------------------------------------------------------------------------- 1 | TEWA-500G 2 | 3 | 地址: 192.168.1.1 4 | ssh: admin:admin ,进入后运行sh 5 | 6 | 挂载读写权限 7 | 8 | ```bash 9 | mount -o remount rw / 10 | ``` 11 | 12 | 1\. 修改用户名只能使用 `useradmin` 的问题 13 | 14 | ```bash 15 | cd /webs 16 | vi login.html 17 | ``` 18 | 19 | 查找 `disabled`, 将 `value=\"useradmin\" disabled='true'` 改为 `value=\"useradmin\"` 20 | 21 | 2\. 修改 ssid 必须为 ChinaNet- 开头的问题 22 | 23 | vi NW_Basic.html 24 | 25 | 删除如下行 26 | 27 | ```js 28 | var place = str.indexOf("ChinaNet-"); 29 | if(place!=0) 30 | { 31 | alert('SSID "' + wlSsid.value + '" ......ChinaNet-.............. 32 | return false; 33 | } 34 | ``` 35 | 36 | ------------- 37 | 38 | 网页端 `192.168.1.1` 登录 `telecomadmin` `nE7jA%5m` 修改 `ssid`,开启 `pppoe` 自动拨号 39 | 40 | 3\. 添加 PPPOE 自动拨号,使 wifi 可以上网。 41 | 42 | 网络-网络设置- 2_INTERNET_B_VID_ 连接模式 路由,输入宽带用户名和密码 43 | 44 | 保存,应用。 45 | 46 | 在状态,网络侧信息即可查看 PPPOE IP地址。检查 电视机 IPTV 是否正常。 47 | 48 | 4\. 修改自动获取的 dns 49 | 50 | 电信自己的 dns 解析慢,而且有很多问题,如果使用猫的网络,客户端就需要配置dns。所以如果在猫上直接修改dns就可以避免客户端修改的麻烦。 51 | 52 | 在 ssh 控制台里 53 | 54 | ```bash 55 | cd /etc 56 | ls -l 57 | resolv.conf -> /var/fyi/sys/dns 58 | ``` 59 | 60 | 可以看到 resolv.con 指向了 /var/fyi/sys/dns, 每次拨号成功后会修改 这个文件 到电信默认的 dns 61 | 62 | ```bash 63 | mv resolv.conf resolv.conf.bak 64 | vi resolv.conf 65 | ``` 66 | 添加阿里和 114 的 dns 67 | 68 | ```bash 69 | nameserver 223.5.5.5 70 | nameserver 114.114.114.114 71 | ``` 72 | 73 | 保存, reboot 重启路由器,拨号后可以看到 `resolv.conf` 仍是我们修改的dns,而 `resolv.conf.bak` 则会发生变化。 74 | -------------------------------------------------------------------------------- /为 openwrt 和 ddwrt (r6300v2, ac68u) 编译可执行文件.md: -------------------------------------------------------------------------------- 1 | # 为 openwrt 和 ddwrt (r6300v2, ac68u) 编译可执行文件 2 | 3 | 4 | 5 | ## 系统环境 6 | 7 | 编译系统: ubuntu 16.04 64 bit 8 | 9 | openwrt trunk, ddwrt 固件版本: Netgear R6300V2 DD-WRT v3.0-r29875M kongac (06/11/16) 10 | 11 | 安装二进制程序: n2n edge, shellinabox, kms server 12 | 13 | ## 确认 ddwrt 可执行文件格式 14 | 15 | `openwrt` 的可执行未见可以直接通过 `SDK` 编译,`ddwrt` 则需要先确认可执行文件的格式。 16 | 17 | 将 ddwrt 固件中的 busybox 拷贝到本地, `file busybox` 可以看到 18 | 19 | ```shell 20 | busybox: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), corrupted section header size 21 | ``` 22 | 23 | 再执行 24 | 25 | ```shell 26 | readelf -d busybox 27 | ``` 28 | 29 | 可以看到 30 | 31 | ```shell 32 | Tag Type Name/Value 33 | 0x00000001 (NEEDED) Shared library: [libgcc_s.so.1] 34 | 0x00000001 (NEEDED) Shared library: [libc.so] 35 | ``` 36 | 37 | 其调用了 `libc.so` ,在路由中检查 libc 版本 38 | 39 | ```shell 40 | cd /lib/ 41 | ./libc.so 42 | ``` 43 | 44 | 可以看到 45 | 46 | ```shell 47 | musl libc 48 | Version 1.1.11 49 | Dynamic Program Loader 50 | Usage: ./libc.so [options] [--] pathname [args] 51 | ``` 52 | 53 | 所以 ddwrt 使用的是 [musl libc](http://www.etalabs.net/compare_libcs.html),再查看 openwrt 的 [编译发布](https://downloads.openwrt.org/snapshots/trunk/bcm53xx/generic/) 54 | 55 | 从 `OpenWrt-SDK-bcm53xx_gcc-5.3.0_musl-1.1.15_eabi.Linux-x86_64.tar.bz2` 可以看到也是 `musl libc`,在 packages 目录下载 [aria2](https://downloads.openwrt.org/snapshots/trunk/bcm53xx/generic/packages/packages/aria2_1.24.0-1_bcm53xx.ipk) 56 | 57 | 改名为 `aria2_1.24.0-1_bcm53xx.tar.gz` ,解压缩,再解压缩包中的 `data.tar.gz` 得到 `data/usr/bin/aria2c` 文件。 58 | 59 | 将 `aria2c` 文件拷贝到 ddwrt `/jffs` 目录下,运行测试 `./aria2c --help` 查看结果 60 | 61 | ```shell 62 | ./aria2c --help 63 | Usage: aria2c [OPTIONS] [URI | MAGNET | TORRENT_FILE | METALINK_FILE]... 64 | Printing options tagged with '#basic'. 65 | ``` 66 | 67 | 可以看到可以正确的执行,说明 openwrt 编译的文件可以直接被用于 ddwrt。 68 | 69 | ## 安装开发依赖 70 | 71 | ``` 72 | apt-get update 73 | apt-get install git-core build-essential libssl-dev libncurses5-dev unzip gawk 74 | apt-get install subversion mercurial 75 | ``` 76 | 77 | 下载交叉编译环境并解压 78 | 79 | ```shell 80 | wget https://downloads.openwrt.org/snapshots/trunk/bcm53xx/generic/OpenWrt-SDK-bcm53xx_gcc-5.3.0_musl-1.1.15_eabi.Linux-x86_64.tar.bz2 81 | tar xf OpenWrt-SDK-bcm53xx_gcc-5.3.0_musl-1.1.15_eabi.Linux-x86_64.tar.bz2 82 | cd OpenWrt-SDK-bcm53xx_gcc-5.3.0_musl-1.1.15_eabi.Linux-x86_64 83 | ``` 84 | 85 | 配置环境变量 86 | 87 | ```shell 88 | PATH=$PATH:$HOME/OpenWrt-SDK-bcm53xx_gcc-5.3.0_musl-1.1.15_eabi.Linux-x86_64/staging_dir/toolchain-arm_cortex-a9_gcc-5.3.0_musl-1.1.15_eabi/bin 89 | export PATH 90 | 91 | STAGING_DIRPATH=$HOME/OpenWrt-SDK-bcm53xx_gcc-5.3.0_musl-1.1.15_eabi.Linux-x86_64/staging_dir/toolchain-arm_cortex-a9_gcc-5.3.0_musl-1.1.15_eabi 92 | export STAGING_DIRPATH 93 | 94 | STAGING_DIR=$HOME/OpenWrt-SDK-bcm53xx_gcc-5.3.0_musl-1.1.15_eabi.Linux-x86_64/staging_dir/toolchain-arm_cortex-a9_gcc-5.3.0_musl-1.1.15_eabi 95 | export STAGING_DIR 96 | 97 | CFLAGS=-I$HOME/OpenWrt-SDK-bcm53xx_gcc-5.3.0_musl-1.1.15_eabi.Linux-x86_64/staging_dir/target-arm_cortex-a9_musl-1.1.15_eabi/usr/include 98 | LDFLAGS=-L$HOME/OpenWrt-SDK-bcm53xx_gcc-5.3.0_musl-1.1.15_eabi.Linux-x86_64/staging_dir/target-arm_cortex-a9_musl-1.1.15_eabi/usr/lib 99 | 100 | export CFLAGS 101 | export LDFLAGS 102 | ``` 103 | 104 | ## 编译 n2n edge 105 | 106 | 下载 n2n 源码 107 | 108 | ```shell 109 | svn checkout https://svn.ntop.org/svn/ntop/trunk/n2n/n2n_v2/ 110 | ``` 111 | 112 | 添加 `$(LDFLAGS)` 到每一个编译参数, 即修改 `Makefile` 113 | 114 | `CFLAGS+=$(DEBUG) $(OPTIMIZATION) $(WARN) $(OPTIONS) $(PLATOPTS) $(N2N_DEFINES)` 115 | 为 116 | `CFLAGS+=$(DEBUG) $(OPTIMIZATION) $(WARN) $(OPTIONS) $(PLATOPTS) $(N2N_DEFINES) $(LDFLAGS)` 117 | 118 | 119 | 编译 120 | 121 | ```shell 122 | make CC=arm-openwrt-linux-muslgnueabi-gcc LD=arm-openwrt-linux-muslgnueabi-ld 123 | ``` 124 | 125 | 注意如果缺少 `openssl/aes.h` 等头文件,可以先在交叉环境中编译 nginx 来安装依赖。如果不怕麻烦要手动安装依赖,可以参考 [这里](https://forum.openwrt.org/viewtopic.php?id=57657) 126 | 127 | ```shell 128 | ./scripts/feeds update 129 | ./scripts/feeds install nginx 130 | make package/feeds/packages/nginx/compile V=s 131 | ``` 132 | 133 | 拷贝 n2n 目录下生成的 `supernode` 和 `edge` 文件到路由器 134 | 135 | 136 | 137 | ## 编译 vlcmsd 138 | 139 | 和 n2n 相同,下载源代码并解压后,在目录直接执行 140 | 141 | ```shell 142 | make CC=arm-openwrt-linux-muslgnueabi-gcc LD=arm-openwrt-linux-muslgnueabi-ld 143 | ``` 144 | 145 | 拷贝生成的 `vlmcsd` `vlmcs` 文件到路由即可。 146 | 147 | 148 | ## 编译 shellinabox 149 | 150 | 通过编译 `openssh-server-pam` 为交叉编译环境安装 `libpam` 依赖 151 | 152 | ```shell 153 | ./scripts/feeds install openssh-server-pam 154 | make package/feeds/packages/openssh/compile V=s 155 | ``` 156 | 157 | 安装依赖并下载源码 158 | 159 | ```shell 160 | apt-get install git libssl-dev libpam0g-dev zlib1g-dev dh-autoreconf 161 | git clone https://github.com/shellinabox/shellinabox 162 | cd shellinabox 163 | ``` 164 | 165 | 配置 166 | 167 | ```shell 168 | autoreconf -iv 169 | ./configure --disable-utmp 170 | ``` 171 | 172 | 编译 173 | 174 | ```bash 175 | make CC=arm-openwrt-linux-muslgnueabi-gcc LD=arm-openwrt-linux-muslgnueabi-ld 176 | ``` 177 | 178 | 拷贝生成的 `shellinaboxd`,在路由上执行 179 | 180 | ```shell 181 | /usr/bin/shellinaboxd -t -s /:LOGIN --localhost-only --background=/var/run/shellinabox.pid 182 | ``` 183 | 184 | 这样就在 `127.0.0.1:4200` 端口做了 `http shell` 的监听 185 | 186 | 通过 nginx 做 https 的转发 187 | 188 | ```shell 189 | location /shellinabox { 190 | auth_basic "Authentication required"; 191 | auth_basic_user_file /etc/nginx/.dlpasswd; 192 | proxy_pass http://127.0.0.1:4200/; 193 | } 194 | 195 | ``` 196 | 197 | 访问 `https://route.example.com/shellinabox` 就可以控制路由了 198 | 199 | 可以通过下边的 crontab 脚本管理服务 200 | 201 | ```shell 202 | #!/bin/bash 203 | 204 | # */1 * * * * /root/bin/shellinabox >> /var/log/shellinabox.log 2>&1 205 | 206 | if [ $(/usr/bin/ps -ef|grep shellinaboxd|grep -v grep|wc -l) -eq 0 ];then 207 | /usr/bin/shellinaboxd -t -s /:LOGIN --localhost-only --background=/var/run/shellinabox.pid 208 | echo $(date) -- shellinaboxd started 209 | fi 210 | ``` 211 | 212 | ## 安装 transmission 213 | 214 | 新版本的 kong ddwrt 没有集成 transsmion, 但是仍然可以将其安装在 /jffs 目录下 215 | 216 | 下载文件 217 | 218 | ```shell 219 | cd /jffs 220 | curl -k -s http://downloads.openwrt.org/snapshots/trunk/bcm53xx/generic/packages/packages/transmission-daemon-openssl_2.92-3_bcm53xx.ipk > t.tar.gz 221 | tar xzf t.tar.gz 222 | tar xzf data.tar.gz 223 | rm control.tar.gz debian-binary t.tar.gz data.tar.gz 224 | 225 | curl -k -s https://downloads.openwrt.org/snapshots/trunk/bcm53xx/generic/packages/packages/transmission-web_2.92-3_bcm53xx.ipk > t.tar.gz 226 | tar xzf t.tar.gz 227 | tar xzf data.tar.gz 228 | rm control.tar.gz debian-binary t.tar.gz data.tar.gz 229 | 230 | curl -k -s https://downloads.openwrt.org/snapshots/trunk/bcm53xx/generic/packages/base/libevent2_2.0.22-1_bcm53xx.ipk >t.tar.gz 231 | tar xzf t.tar.gz 232 | tar xzf data.tar.gz 233 | rm control.tar.gz debian-binary t.tar.gz data.tar.gz 234 | ``` 235 | 236 | 执行 `transmission-daemon --help` 测试,检查是否输出正常。 237 | 238 | 运行 239 | 240 | ```shell 241 | mkdir /mnt/usb 242 | mount --bind /mnt/sdb1 /mnt/usb 243 | /jffs/usr/bin/transmission-daemon -g /mnt/usb/transmission --logfile /jffs/log/transmission-daemon.log --pid-file /jffs/run/transmission-daemon.pid 244 | ``` 245 | 246 | crontab 脚本 247 | 248 | ```shell 249 | #!/bin/sh 250 | 251 | # file locaton: /jffs/bin/transmission 252 | 253 | # crontab: */1 * * * * root /jffs/bin/transmission >> /jffs/log/transmission.log 254 | 255 | LD_LIBRARY_PATH=/lib:/usr/lib:/jffs/lib:/jffs/usr/lib:/jffs/usr/local/lib:/mmc/lib:/mmc/usr/lib:/opt/lib:/opt/usr/lib 256 | PATH=/bin:/usr/bin:/sbin:/usr/sbin:/jffs/sbin:/jffs/bin:/jffs/usr/sbin:/jffs/usr/bin:/mmc/sbin:/mmc/bin:/mmc/usr/sbin:/mmc/usr/bin:/opt/sbin:/opt/bin:/opt/usr/sbin:/opt/usr/bin 257 | TRANSMISSION_WEB_HOME=/jffs/usr/share/transmission/web 258 | 259 | export LD_LIBRARY_PATH 260 | export PATH 261 | export TRANSMISSION_WEB_HOME 262 | 263 | if [ ! -d '/mnt/usb' ];then 264 | mount --bind /mnt/sdb1 /mnt/usb 265 | fi 266 | 267 | if [ ! -d '/mnt/usb' ];then 268 | echo ‘disk not mounted.’ 269 | exit -1 270 | fi 271 | 272 | if [ $(/bin/ps|grep transmission-daemon|grep -v grep|wc -l) -eq 0 ];then 273 | /jffs/usr/bin/transmission-daemon -g /mnt/usb/transmission --logfile /jffs/log/transmission-daemon.log --pid-file /jffs/run/transmission-daemon.pid 274 | echo $(date) -- transmission-daemon started 275 | fi 276 | ``` 277 | -------------------------------------------------------------------------------- /使用 sniproxy + dnsmasq + nginx 访问互联网.md: -------------------------------------------------------------------------------- 1 | 使用 sniproxy + dnsmasq + nginx 访问互联网 2 | 3 | ## 优缺点 4 | 5 | 优点: 客户机简单易用,仅需要修改 dns 即可,甚至局域网内可以不需要做任何修改:主路由修改 dns,则通过网线或 wifi 连接到路由的客户机自动获取到目标 dns。 6 | 7 | 缺点: 需要目标网站支持 https,对于不支持 https 的网站无效。 8 | 9 | 10 | ## 方案及原理 11 | 12 | 服务器A: 墙外的 sniproxy 在远端 vps 上监听 443 端口的请求,根据 tls 域名信息来做 https 流量的透明代理。 13 | 14 | 服务器B: (注意最好是局域网内的机器如路由器或 NAS) 15 | 16 | 1\. 将所有的 443 端口流量定向到服务器A 443 端口。可以使用 iptables, socat, sniproxy, haproxy 等。 17 | 18 | 2\. nginx 将所有的 80 端口请求做 HTTP 302 跳转到 443 19 | 20 | 3\. dnsmasq 提供一个dns解析服务器,将所有的被污染域名解析到服务器B IP地址,未被污染的域名使用国内的域名服务如 `114.114.114.114` 或 `223.5.5.5` 解析。 21 | 22 | 客户机C: (如手机、pc等) 修改 dns 设置为服务器 B IP 地址。 23 | 24 | **原理** 25 | 26 | A: `104.233.233.233` (监听 443) B: `192.168.0.5` (监听 53, 80, 443) C: `192.168.1.10` 27 | 28 | 1\. 客户机 C 在做 HTTP 请求时,通过 B 提供的 DNS 解析域名,如果是国内网站的域名则直接返回正确的地址,否则返回 服务器B 的IP。如访问 `http://google.com` 时 dns 查询返回了 192.168.0.5 29 | 30 | 2\. 客户机 C 访问 `http://192.168.0.5:80 (host: google.com)` 后被重定向到 443 端口,客户机 C 继续访问 `https://192.168.0.5:443 (host: google.com)` 31 | 32 | 3\. 服务器 B 收到 443 端口的请求后,对 tcp 连接定向到 服务器 A 443 端口 即 `https://104.233.233.233:443 (host: google.com)`。 33 | 34 | 4\. 服务器 A 收到 443 端口的请求后,检查域名 (`google.com`) 并根据域名做透明代理,即 `https://google.com` 35 | 36 | ***为什么要在本地监听 80 端口?为什么不直接将 dns 解析结果返回 服务器A IP 地址?*** 37 | 38 | 如果直接返回 服务器A IP 地址,客户机 C 在访问 `http://104.233.233.233 (host: google.com)` 时就会导致 tcp reset 而使访问中断。通过在本地局域网监听 80 端口做 302 跳转到 443 后,可以避免这种错误出现。 39 | 40 | 41 | ## 配置示例 42 | 43 | 服务器A: `/etc/sniproxy.conf` 44 | 45 | 46 | ``` 47 | user daemon 48 | 49 | pidfile /var/run/sniproxy.pid 50 | 51 | error_log { 52 | syslog daemon 53 | priority notice 54 | } 55 | 56 | listen 104.233.233.233:443 { 57 | proto tls 58 | table https_hosts 59 | 60 | access_log { 61 | filename /var/log/sniproxy/https_access.log 62 | priority notice 63 | } 64 | } 65 | 66 | table https_hosts { 67 | .* *:443 68 | } 69 | ``` 70 | 71 | 服务器B: 72 | 73 | `/etc/sniproxy.conf` 74 | 75 | ``` 76 | user daemon 77 | 78 | pidfile /var/run/sniproxy.pid 79 | 80 | error_log { 81 | syslog daemon 82 | priority notice 83 | } 84 | 85 | listen 443 { 86 | proto tls 87 | table https_hosts 88 | 89 | access_log { 90 | filename /var/log/sniproxy/https_access.log 91 | priority notice 92 | } 93 | } 94 | 95 | table https_hosts { 96 | .* 104.233.233.233:443 97 | } 98 | ``` 99 | 100 | `/etc/nginx/sites-enabled/default` 101 | 102 | ``` 103 | server { 104 | listen 80 default_server; 105 | 106 | server_name _; 107 | 108 | if ($ssl_protocol = "") { 109 | return 302 https://$http_host$request_uri; 110 | } 111 | } 112 | ``` 113 | 114 | `/etc/dnsmasq.conf` 115 | 116 | ``` 117 | conf-dir=/etc/dnsmasq.d 118 | listen-address=0.0.0.0 119 | no-resolvserver=8.8.4.4 120 | server=8.8.8.8 121 | address=/#/192.168.0.5 122 | ``` 123 | 124 | `/etc/dnsmasq.d/accelerated-domains.china.conf` 125 | 126 | 下载 `https://github.com/felixonmars/dnsmasq-china-list/raw/master/accelerated-domains.china.conf` 文件 127 | 128 | `/etc/dnsmasq.d/extra.conf` 129 | 130 | ``` 131 | # 手动添加不需要代理的域名列表 132 | server=/baidu.com/114.114.114.114 133 | ``` 134 | -------------------------------------------------------------------------------- /使用nginx及butterfly搭建网页终端.md: -------------------------------------------------------------------------------- 1 | [butterfly](https://github.com/paradoxxxzero/butterfly) 是一个优秀的 网页终端 (web terminal),可以通过 nginx 构建一个网址为 `https://example.com/butterfly`的网页管理终端,同时使用 `http auth` 认证保证安全。 2 | 3 | `nginx` 需要 [ngx_http_substitutions_filter_module](https://github.com/yaoweibin/ngx_http_substitutions_filter_module) 模块的支持, 4 | 5 | **安装butterfly及依赖** 6 | 7 | ```bash 8 | pip install butterfly 9 | apt-get purge nginx nginx-full 10 | apt-get install nginx-common libxslt1-dev libgd-dev libgeoip-dev libpcre3-dev git 11 | ``` 12 | 13 | **获取nginx代码** 14 | 15 | ```bash 16 | # Create temporary work area 17 | cd 18 | mkdir nginx 19 | cd nginx 20 | 21 | # Download and extract nginx 22 | wget http://nginx.org/download/nginx-1.9.5.tar.gz 23 | tar xf nginx-1.9.5.tar.gz 24 | 25 | # Download and extract OpenSSL 26 | wget https://www.openssl.org/source/openssl-1.0.2d.tar.gz 27 | tar xf openssl-1.0.2d.tar.gz 28 | 29 | # Download and extract gzip 30 | wget http://zlib.net/zlib-1.2.8.tar.gz 31 | tar xf zlib-1.2.8.tar.gz 32 | 33 | # Delete downloads 34 | rm *.tar.gz 35 | 36 | # Download ngx_http_substitutions_filter_module 37 | git clone https://github.com/yaoweibin/ngx_http_substitutions_filter_module 38 | ``` 39 | 40 | **安装编译 nginx** 41 | 42 | ```bash 43 | cd nginx-1.9.5 44 | 45 | ./configure \ 46 | --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' \ 47 | --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro' \ 48 | --sbin-path=/usr/sbin/nginx \ 49 | --prefix=/usr/share/nginx \ 50 | --conf-path=/etc/nginx/nginx.conf \ 51 | --http-log-path=/var/log/nginx/access.log \ 52 | --error-log-path=/var/log/nginx/error.log \ 53 | --lock-path=/var/lock/nginx.lock \ 54 | --pid-path=/run/nginx.pid \ 55 | --http-client-body-temp-path=/var/lib/nginx/body \ 56 | --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \ 57 | --http-proxy-temp-path=/var/lib/nginx/proxy \ 58 | --http-scgi-temp-path=/var/lib/nginx/scgi \ 59 | --http-uwsgi-temp-path=/var/lib/nginx/uwsgi \ 60 | --with-debug \ 61 | --with-pcre-jit \ 62 | --with-ipv6 \ 63 | --with-http_ssl_module \ 64 | --with-http_stub_status_module \ 65 | --with-http_realip_module \ 66 | --with-http_addition_module \ 67 | --with-http_dav_module \ 68 | --with-http_geoip_module \ 69 | --with-http_gzip_static_module \ 70 | --with-http_image_filter_module \ 71 | --with-http_v2_module \ 72 | --with-http_sub_module \ 73 | --with-http_xslt_module \ 74 | --with-mail \ 75 | --with-mail_ssl_module \ 76 | --with-http_sub_module \ 77 | --with-zlib=../zlib-1.2.8 \ 78 | --with-openssl=../openssl-1.0.2d \ 79 | --add-module=../ngx_http_substitutions_filter_module 80 | 81 | make 82 | make install 83 | ``` 84 | 85 | **nginx配置** 86 | 87 | 注意修改 `example.com` 为你的域名 88 | 89 | ```bash 90 | server { 91 | listen 80; 92 | listen 443 ssl; 93 | server_name example.com; 94 | ssl_certificate certs/example.com.chained.crt; 95 | ssl_certificate_key certs/example.com.key; 96 | 97 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 98 | ssl_ciphers HIGH:!aNULL:!MD5; 99 | 100 | charset utf-8; 101 | 102 | access_log /var/log/nginx/$host.access.log; 103 | 104 | client_max_body_size 20M; 105 | 106 | root /var/www/; 107 | index index.html index.htm index.php; 108 | 109 | if ($ssl_protocol = "") { 110 | return 301 https://$http_host$request_uri; 111 | } 112 | 113 | location / { 114 | try_files $uri $uri/ /index.php?q=$uri&$args; 115 | } 116 | 117 | #error_page 404 /404.html; 118 | 119 | # redirect server error pages to the static page /50x.html 120 | # 121 | error_page 500 502 503 504 /50x.html; 122 | location = /50x.html { 123 | root /usr/share/nginx/html; 124 | } 125 | 126 | location /butterfly { 127 | auth_basic "Authentication required"; 128 | auth_basic_user_file /etc/nginx/.dlpasswd; 129 | 130 | rewrite ^/butterfly/?(.*) /$1 break; 131 | proxy_pass http://127.0.0.1:57575; 132 | proxy_http_version 1.1; 133 | proxy_set_header Upgrade $http_upgrade; 134 | proxy_set_header Connection "upgrade"; 135 | proxy_set_header Host $host; 136 | 137 | proxy_connect_timeout 7d; 138 | proxy_send_timeout 7d; 139 | proxy_read_timeout 7d; 140 | 141 | subs_filter_types text/css text/xml application/javascript; 142 | subs_filter /style.css '/butterfly/style.css'; 143 | subs_filter /static '/butterfly/static'; 144 | subs_filter /ws '/butterfly/ws'; 145 | subs_filter location.pathname '"/"'; 146 | } 147 | } 148 | ``` 149 | 150 | 其中 `/etc/nginx/.dlpasswd` 为htpasswd生成 151 | 152 | ```bash 153 | htpasswd -c /etc/nginx/.dlpasswd xxx 154 | ``` 155 | 156 | **supervisor配置** 157 | 158 | 注意修改 `user=root` 为可以密码登陆的用户 159 | 160 | ```bash 161 | vi /etc/supervisor/conf.d/butterfly.conf 162 | ``` 163 | 164 | ```ini 165 | [program:butterfly] 166 | command=butterfly.server.py --unsecure --login=false --host=127.0.0.1 167 | autorestart=true 168 | user=root 169 | ``` 170 | 171 | 启动 butterfly 172 | 173 | ```bash 174 | service supervisor restart 175 | ``` 176 | 177 | **检查是否成功** 178 | 179 | 打开网页访问 `https://example.com/butterfly` 使用网页终端 180 | 181 | 182 | ##Archlinux systemd 配置示例 183 | 184 | 185 | 可以使用 virtualenv 安装 butterfly,并添加 systemd 服务 186 | 187 | ``` 188 | cd /var/www 189 | virtualenv -p python3 butterfly 190 | 191 | cd butterfly 192 | source bin/activate 193 | pip install butterfly 194 | ``` 195 | 196 | 因为 `ArchLinux` 没有 `daemon` 用户,需要修改 `/var/www/butterfly/lib/python3.5/site-packages/butterfly/terminal.py` 文件中的 `daemon = utils.User(name='daemon')` 为 `daemon = utils.User(name='nobody')` 197 | 198 | 执行测试,确保运行正常 199 | 200 | ``` 201 | butterfly.server.py --unsecure --login=true --host=127.0.0.1 202 | ``` 203 | 204 | 添加 `systemd` 服务 205 | 206 | `vi /etc/systemd/system/butterfly.service` 207 | 208 | ``` 209 | [Unit] 210 | Description=Butterfly service 211 | After=network.target 212 | 213 | [Service] 214 | ExecStart=/var/www/butterfly/bin/butterfly.server.py --unsecure --login=true --host=127.0.0.1 215 | Restart=always 216 | 217 | [Install] 218 | WantedBy=multi-user.target 219 | ``` 220 | 221 | ``` 222 | systemctl enable butterfly 223 | systemctl start butterfly 224 | ``` 225 | -------------------------------------------------------------------------------- /使用nginx反向代理telegram网页客户端(单域名).md: -------------------------------------------------------------------------------- 1 | 通过反代 telegram api 来实现 telegram 服务的 web 访问。假定域名为 `https://im.example.com`。 2 | 3 | 4 | ##1\. 在 `startssl` 生成 `im` 域名证书 5 | 6 | 需要反代的域名为 `web.telegram.org`, 如下域名反代为子目录的形式。 7 | 8 | `pluto.web` `venus.web` `aurora.web` `vesta.web` `flora.web` `pluto-1.web` `venus-1.web` `aurora-1.web` `vesta-1.web` `flora-1.web` 9 | 10 | 配置域名解析。 11 | 12 | 证书及私钥保存在 `/etc/nginx/certs/` 目录。使用如下脚本 `nginx.sh` 配置证书的编译链。 13 | 14 | `/etc/nginx/certs/nginx.sh` 15 | 16 | ``` 17 | #!/bin/bash 18 | 19 | #if [ ! -f "ca-sha2.pem" ];then 20 | # wget http://www.startssl.com/certs/ca-sha2.pem -O ca-sha2.pem 21 | #fi 22 | 23 | if [ ! -f "sub.class1.server.sha2.ca.pem" ];then 24 | wget https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem -O sub.class1.server.sha2.ca.pem 25 | fi 26 | 27 | if [ ! -f "ca-certs.crt" ];then 28 | cat sub.class1.server.sha2.ca.pem > ca-certs.crt 29 | fi 30 | 31 | cat $1.crt ca-certs.crt > $1.chained.crt 32 | ``` 33 | 34 | 使用方法 `./nginx.sh im.example.com` 35 | 36 | 37 | ##2\. `nginx` 配置 38 | 39 | 40 | **配置 `web` 程序** 41 | 42 | 1\. 下载 [webogram](https://github.com/zhukov/webogram/releases) 最新发行版(第一个,不要下载Source code那个tarball),并解压到服务器 如 `/var/www/im` 43 | 44 | 2\. 修改 `/var/www/web/js/app.js`,将 `"https://"+l+".web.telegram.org/"` 中的域名修改为 `"https://im.example.com/"+l+"/"` 。这样在访问 `https://im.example.com` 时,调用的 `api` 会返回到 `im.example.com`。 45 | 46 | 如 调用的 `https://venus.web.telegram.org/apiw1` 会指向 `https://im.example.com/venus/apiw1` 47 | 48 | 3\. 下载 `webogram.appcache` 文件到应用目录 49 | 50 | ``` 51 | cd /var/www/im 52 | wget https://web.telegram.org/webogram.appcache 53 | ``` 54 | 55 | 4\. 修改应用 `api_id` 及 `api_hash` 56 | 57 | 在 `https://my.telegram.org` 注册新的应用并填写你的域名,提交后获得 `api_id` 及 `api_hash` 58 | 59 | 修改 `/var/www/im/js/app.js` 文件,(这里虽然是一堆凌乱得不行的东西,但是可以在nano里使用Ctrl+W搜索)搜索 `Config.App={id:2496,hash:"8da85b0d5bfe62527e5b244c209159c3"`,将其中的 `id` 和 `hash` 修改为你的 `api_id` 和 `api_hash` 60 | 61 | 5\. 修改文件拥有者为 `http` (archlinux) 或 `www-data` (ubuntu) 62 | 63 | `chown -R http:http /var/www/im` 64 | 65 | 66 | **配置 `api` 代理** 67 | 68 | 注意替换其中的 `im.example.com` 为你的域名 69 | 70 | `/etc/nginx/sites-enabled/im.example.com` 71 | 72 | ``` 73 | server { 74 | listen 80; 75 | listen 443 ssl; 76 | server_name im.example.com; 77 | ssl_certificate certs/im.example.com.chained.crt; 78 | ssl_certificate_key certs/im.example.com.key; 79 | 80 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 81 | ssl_ciphers HIGH:!aNULL:!MD5; 82 | 83 | ##DNS Resolver 84 | resolver 8.8.8.8 valid=300s; 85 | resolver_timeout 10s; 86 | 87 | charset utf-8; 88 | 89 | access_log /var/log/nginx/$host.access.log; 90 | 91 | client_max_body_size 20M; 92 | 93 | root /var/www/im; 94 | index index.html index.htm index.php; 95 | 96 | error_page 500 502 503 504 /50x.html; 97 | location = /50x.html { 98 | root /usr/share/nginx/html; 99 | } 100 | 101 | location / { 102 | if ($scheme = http) { 103 | return 302 https://$http_host$request_uri; 104 | } 105 | } 106 | 107 | location ~* .(jpg|jpeg|png|gif|ico|css|js)$ { 108 | expires 365d; 109 | } 110 | 111 | # proxy telegram api 112 | location ~* ^/(pluto|venus|aurora|vesta|flora|pluto-1|venus-1|aurora-1|vesta-1|flora-1)/(.*)$ { 113 | proxy_buffering off; 114 | proxy_pass https://$1.web.telegram.org/$2; 115 | } 116 | } 117 | ``` 118 | -------------------------------------------------------------------------------- /使用nginx反向代理telegram网页客户端(多域名方式,较复杂已弃用).md: -------------------------------------------------------------------------------- 1 | ## 已弃用,请参考 [使用nginx反向代理telegram网页客户端(单域名)](https://github.com/freedocs/docs/blob/master/%E4%BD%BF%E7%94%A8nginx%E5%8F%8D%E5%90%91%E4%BB%A3%E7%90%86telegram%E7%BD%91%E9%A1%B5%E5%AE%A2%E6%88%B7%E7%AB%AF(%E5%8D%95%E5%9F%9F%E5%90%8D).md) 2 | 3 | 通过反代 telegram api 来实现 telegram 服务的 web 访问。假定域名为 `https://web.example.com`。 4 | 5 | 6 | ##1\. 在 `startssl` 生成域名证书,例如需要如下几个子域名, 用于替换 `web.telegram.org` 7 | 8 | 9 | `web` `pluto.web` `venus.web` `aurora.web` `vesta.web` `flora.web` `pluto-1.web` `venus-1.web` `aurora-1.web` `vesta-1.web` `flora-1.web` 10 | 11 | 配置域名解析。 12 | 13 | 证书及私钥保存在 `/etc/nginx/certs/` 目录。使用如下脚本 `nginx.sh` 配置证书的编译链。 14 | 15 | `/etc/nginx/certs/nginx.sh` 16 | 17 | ``` 18 | #!/bin/bash 19 | 20 | #if [ ! -f "ca-sha2.pem" ];then 21 | # wget http://www.startssl.com/certs/ca-sha2.pem -O ca-sha2.pem 22 | #fi 23 | 24 | if [ ! -f "sub.class1.server.sha2.ca.pem" ];then 25 | wget https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem -O sub.class1.server.sha2.ca.pem 26 | fi 27 | 28 | if [ ! -f "ca-certs.crt" ];then 29 | cat sub.class1.server.sha2.ca.pem > ca-certs.crt 30 | fi 31 | 32 | cat $1.crt ca-certs.crt > $1.chained.crt 33 | ``` 34 | 35 | 使用方法 `./nginx.sh pluto.web.example.com` 36 | 37 | 或者使用如下脚本批量操作 38 | 39 | `/etc/nginx/certs/chainall.sh` 40 | 41 | ``` 42 | #!/bin/bash 43 | 44 | for file in *.crt; 45 | do 46 | ./nginx.sh ${file%%.crt*}; 47 | done 48 | 49 | ``` 50 | 51 | ##2\. `nginx` 配置 52 | 53 | 54 | **配置 `web` 程序** 55 | 56 | 1\. 下载 [webogram](https://github.com/zhukov/webogram/releases) 最新发行版,并解压到服务器 如 `/var/www/web` 57 | 58 | 2\. 修改 `/var/www/web/js/app.js`,将 `"https://"+l+".web.telegram.org/"` 中的域名修改为你自己的域名。这样在访问 `https://web.example.com` 时,调用的 `api` 会返回到 `web.example.com`。 59 | 60 | 如 调用的 `https://venus.web.telegram.org/apiw1` 会指向 `https://venus.example.com/apiw1` 61 | 62 | 3\. 下载 `webogram.appcache` 文件到应用目录 63 | 64 | ``` 65 | cd /var/www/web 66 | wget https://web.telegram.org/webogram.appcache 67 | ``` 68 | 69 | 4\. 修改应用 `api_id` 及 `api_hash` 70 | 71 | 在 `https://my.telegram.org` 注册新的应用并填写你的域名,提交后获得 `api_id` 及 `api_hash` 72 | 73 | 修改 `/var/www/web/js/app.js` 文件,搜索 `Config.App={id:2496,hash:"8da85b0d5bfe62527e5b244c209159c3"`,将其中的 `id` 和 `hash` 修改为你的 `api_id` 和 `api_hash` 74 | 75 | 5\. 修改文件拥有者为 `http` (archlinux) 或 `www-data` (ubuntu) 76 | 77 | `chown -R http:http /var/www/web` 78 | 79 | 80 | **配置 `api` 代理** 81 | 82 | 注意替换其中的 `web.example.com` 为你的域名 83 | 84 | `/etc/nginx/sites-enabled/web.example.com` 85 | 86 | ``` 87 | server { 88 | listen 80; 89 | listen 443 ssl; 90 | server_name web.example.com; 91 | ssl_certificate certs/web.example.com.chained.crt; 92 | ssl_certificate_key certs/web.example.com.key; 93 | 94 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 95 | ssl_ciphers HIGH:!aNULL:!MD5; 96 | 97 | charset utf-8; 98 | 99 | access_log /var/log/nginx/$host.access.log; 100 | 101 | client_max_body_size 20M; 102 | 103 | root /var/www/web; 104 | index index.html index.htm index.php; 105 | 106 | error_page 500 502 503 504 /50x.html; 107 | location = /50x.html { 108 | root /usr/share/nginx/html; 109 | } 110 | 111 | location / { 112 | if ($scheme = http) { 113 | return 302 https://$http_host$request_uri; 114 | } 115 | 116 | # proxy_buffering off; 117 | # proxy_pass https://web.telegram.org; 118 | } 119 | 120 | location ~* .(jpg|jpeg|png|gif|ico|css|js)$ { 121 | expires 365d; 122 | } 123 | } 124 | 125 | server { 126 | listen 80; 127 | listen 443 ssl; 128 | server_name venus.web.example.com; 129 | ssl_certificate certs/venus.web.example.com.chained.crt; 130 | ssl_certificate_key certs/venus.web.example.com.key; 131 | 132 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 133 | ssl_ciphers HIGH:!aNULL:!MD5; 134 | 135 | if ($scheme = http) { 136 | return 302 https://$http_host$request_uri; 137 | } 138 | 139 | location / { 140 | proxy_buffering off; 141 | proxy_pass https://venus.web.telegram.org; 142 | } 143 | } 144 | 145 | server { 146 | listen 80; 147 | listen 443 ssl; 148 | server_name pluto.web.example.com; 149 | ssl_certificate certs/pluto.web.example.com.chained.crt; 150 | ssl_certificate_key certs/pluto.web.example.com.key; 151 | 152 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 153 | ssl_ciphers HIGH:!aNULL:!MD5; 154 | 155 | if ($scheme = http) { 156 | return 302 https://$http_host$request_uri; 157 | } 158 | 159 | location / { 160 | proxy_buffering off; 161 | proxy_pass https://pluto.web.telegram.org; 162 | } 163 | } 164 | 165 | server { 166 | listen 80; 167 | listen 443 ssl; 168 | server_name aurora.web.example.com; 169 | ssl_certificate certs/aurora.web.example.com.chained.crt; 170 | ssl_certificate_key certs/aurora.web.example.com.key; 171 | 172 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 173 | ssl_ciphers HIGH:!aNULL:!MD5; 174 | 175 | if ($scheme = http) { 176 | return 302 https://$http_host$request_uri; 177 | } 178 | 179 | location / { 180 | proxy_buffering off; 181 | proxy_pass https://aurora.web.telegram.org; 182 | } 183 | } 184 | 185 | server { 186 | listen 80; 187 | listen 443 ssl; 188 | server_name vesta.web.example.com; 189 | ssl_certificate certs/vesta.web.example.com.chained.crt; 190 | ssl_certificate_key certs/vesta.web.example.com.key; 191 | 192 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 193 | ssl_ciphers HIGH:!aNULL:!MD5; 194 | 195 | if ($scheme = http) { 196 | return 302 https://$http_host$request_uri; 197 | } 198 | 199 | location / { 200 | proxy_buffering off; 201 | proxy_pass https://vesta.web.telegram.org; 202 | } 203 | } 204 | 205 | server { 206 | listen 80; 207 | listen 443 ssl; 208 | server_name flora.web.example.com; 209 | ssl_certificate certs/flora.web.example.com.chained.crt; 210 | ssl_certificate_key certs/flora.web.example.com.key; 211 | 212 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 213 | ssl_ciphers HIGH:!aNULL:!MD5; 214 | 215 | if ($scheme = http) { 216 | return 302 https://$http_host$request_uri; 217 | } 218 | 219 | location / { 220 | proxy_buffering off; 221 | proxy_pass https://flora.web.telegram.org; 222 | } 223 | } 224 | 225 | server { 226 | listen 80; 227 | listen 443 ssl; 228 | server_name pluto-1.web.example.com; 229 | ssl_certificate certs/pluto-1.web.example.com.chained.crt; 230 | ssl_certificate_key certs/pluto-1.web.example.com.key; 231 | 232 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 233 | ssl_ciphers HIGH:!aNULL:!MD5; 234 | 235 | if ($scheme = http) { 236 | return 302 https://$http_host$request_uri; 237 | } 238 | 239 | location / { 240 | proxy_buffering off; 241 | proxy_pass https://pluto-1.web.telegram.org; 242 | } 243 | } 244 | 245 | server { 246 | listen 80; 247 | listen 443 ssl; 248 | server_name venus-1.web.example.com; 249 | ssl_certificate certs/venus-1.web.example.com.chained.crt; 250 | ssl_certificate_key certs/venus-1.web.example.com.key; 251 | 252 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 253 | ssl_ciphers HIGH:!aNULL:!MD5; 254 | 255 | if ($scheme = http) { 256 | return 302 https://$http_host$request_uri; 257 | } 258 | 259 | location / { 260 | proxy_buffering off; 261 | proxy_pass https://venus-1.web.telegram.org; 262 | } 263 | } 264 | 265 | server { 266 | listen 80; 267 | listen 443 ssl; 268 | server_name aurora-1.web.example.com; 269 | ssl_certificate certs/aurora-1.web.example.com.chained.crt; 270 | ssl_certificate_key certs/aurora-1.web.example.com.key; 271 | 272 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 273 | ssl_ciphers HIGH:!aNULL:!MD5; 274 | 275 | if ($scheme = http) { 276 | return 302 https://$http_host$request_uri; 277 | } 278 | 279 | location / { 280 | proxy_buffering off; 281 | proxy_pass https://aurora-1.web.telegram.org; 282 | } 283 | } 284 | 285 | server { 286 | listen 80; 287 | listen 443 ssl; 288 | server_name vesta-1.web.example.com; 289 | ssl_certificate certs/vesta-1.web.example.com.chained.crt; 290 | ssl_certificate_key certs/vesta-1.web.example.com.key; 291 | 292 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 293 | ssl_ciphers HIGH:!aNULL:!MD5; 294 | 295 | if ($scheme = http) { 296 | return 302 https://$http_host$request_uri; 297 | } 298 | 299 | location / { 300 | proxy_buffering off; 301 | proxy_pass https://vesta-1.web.telegram.org; 302 | } 303 | } 304 | 305 | server { 306 | listen 80; 307 | listen 443 ssl; 308 | server_name flora-1.web.example.com; 309 | ssl_certificate certs/flora-1.web.example.com.chained.crt; 310 | ssl_certificate_key certs/flora-1.web.example.com.key; 311 | 312 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 313 | ssl_ciphers HIGH:!aNULL:!MD5; 314 | 315 | if ($scheme = http) { 316 | return 302 https://$http_host$request_uri; 317 | } 318 | 319 | location / { 320 | proxy_buffering off; 321 | proxy_pass https://flora-1.web.telegram.org; 322 | } 323 | } 324 | ``` 325 | -------------------------------------------------------------------------------- /安装nghttp2 https代理.md: -------------------------------------------------------------------------------- 1 | #基本原理 2 | 3 | chrome -> nghttpx(https proxy) -> squid -> internet 4 | 5 | #参考地址: 6 | 7 | [使用 nghttpx 搭建 HTTP/2 代理](https://wzyboy.im/post/1052.html) 8 | 9 | [nghttp2](https://github.com/tatsuhiro-t/nghttp2/blob/master/README.rst#requirements) 10 | 11 | [spdylay](https://github.com/tatsuhiro-t/spdylay) 12 | 13 | #运行环境 14 | 15 | ubuntu 14.04 x86_64 16 | 17 | #1\. 安装依赖 18 | 19 | apt-get install make binutils autoconf automake autotools-dev libtool pkg-config \ 20 | zlib1g-dev libcunit1-dev libssl-dev libxml2-dev libev-dev libevent-dev libjansson-dev \ 21 | libjemalloc-dev cython python3.4-dev 22 | 23 | #2\. 安装 spdylay 24 | 25 | git clone https://github.com/tatsuhiro-t/spdylay 26 | 27 | cd spdylay/ 28 | autoreconf -i 29 | automake 30 | autoconf 31 | ./configure 32 | make 33 | make install 34 | 35 | #3\. 安装 nghttp2 36 | 37 | git clone https://github.com/tatsuhiro-t/nghttp2 38 | 39 | cd nghttp2 40 | autoreconf -i 41 | automake 42 | autoconf 43 | ./configure --enable-asio-lib 44 | make 45 | make install 46 | 47 | #4\. 配置 nghttp2 48 | 49 | cp contrib/nghttpx-init /etc/init.d/nghttpx 50 | mkdir /var/log/nghttpx 51 | mkdir /etc/nghttpx 52 | 53 | 新建配置文件 `vi /etc/nghttpx/nghttpx.conf`, 添加如下内容 54 | 55 | frontend=0.0.0.0,20443 56 | backend=127.0.0.1,3128 57 | private-key-file=/etc/nginx/certs/www.example.com.key 58 | certificate-file=/etc/nginx/certs/www.example.com.crt 59 | http2-proxy=yes 60 | 61 | # set worker,adjust to CPU 62 | workers=1 63 | 64 | # enable client TLS auth 65 | #verify-client=yes 66 | #verify-client-cacert=/path/to/client/ca 67 | 68 | # not add X-Forwarded-For header 69 | add-x-forwarded-for=no 70 | # not add Via header 71 | no-via=yes 72 | # not use OCSP server 73 | no-ocsp=yes 74 | # set NPN / ALPN order 75 | npn-list=spdy/3.1,h2 76 | # only use TLS 1.2 77 | tls-proto-list=TLSv1.2 78 | # enable log 79 | accesslog-file=/var/log/nghttpx/access.log 80 | accesslog-format=$remote_addr [$time_iso8601] "$request" $status $body_bytes_sent $alpn "$http_user_agent" 81 | 82 | 上边配置会监听20443端口, 并投递到3128端口处理,数据使用tlsv1.2加密传输 83 | 84 | #5\. 安装配置 squid 85 | 86 | apt-get update 87 | apt-get install squid3 88 | 89 | cd /etc/squid3/ 90 | mv squid.conf squid.conf.ori 91 | vi squid.conf 92 | 93 | 添加如下内容 94 | 95 | http_port 127.0.0.1:3128 96 | #http_access allow localhost 97 | 98 | # disable cache and log 99 | cache deny all 100 | access_log none 101 | 102 | # prefer ipv4 103 | dns_v4_first on 104 | # no Via header 105 | via off 106 | # delete X-Forwarded-For header 107 | forwarded_for delete 108 | 109 | # http auth 110 | auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid3/password 111 | auth_param basic realm login 112 | auth_param basic casesensitive on 113 | auth_param basic credentialsttl 2 hours 114 | auth_param basic children 5 115 | acl authenticated proxy_auth REQUIRED 116 | http_access allow authenticated 117 | 118 | 119 | 添加 squid http 认证用户及密码 120 | 121 | htpasswd -c /etc/squid3/password UserName 122 | 123 | #6\. 运行服务 124 | 125 | service squid3 restart 126 | service nghttpx start 127 | 128 | 如果 nghttpx 没有在后台运行,则需要在 init脚本里增加 daemon 参数。 `ctrl-c` 结束服务,修改 `/etc/init.d/nghttpx` 的 129 | 130 | `DAEMON_ARGS="--conf /etc/nghttpx/nghttpx.conf --pid-file=$PIDFILE"` 131 | 132 | 为 133 | 134 | `DAEMON_ARGS="--conf /etc/nghttpx/nghttpx.conf --pid-file=$PIDFILE --daemon"` 135 | 136 | #7\. 开机启动服务 137 | 138 | apt-get install sysv-rc-conf 139 | sysv-rc-conf 140 | 141 | 使用 `空格` 选中 `nghttpx` 的 `2 3 4 5`, 按 `q` 退出 142 | 143 | #8\. 客户端连接 144 | 145 | chrome使用SwitchyOmega插件配置https代理,填写 域名/ip、端口、用户名及密码即可。 146 | -------------------------------------------------------------------------------- /快速搭建nghttp2 https代理.md: -------------------------------------------------------------------------------- 1 | 环境: ubuntu server 14.04, ssl二级域名证书及私钥放在 `/etc/nginx/certs/www.example.com.crt` 和 `/etc/nginx/certs/www.example.com.key` 2 | 3 | **1\. 安装 spdylay 及 nghttp2** 4 | 5 | ``` 6 | cd 7 | mkdir tmp 8 | cd tmp 9 | wget https://github.com/freedocs/binary/raw/master/http2/nghttp2_1.0.5-DEV-1_amd64.deb 10 | wget https://github.com/freedocs/binary/raw/master/http2/spdylay_1.3.3-DEV-1_amd64.deb 11 | 12 | dpkg -i nghttp2_1.0.5-DEV-1_amd64.deb 13 | dpkg -i spdylay_1.3.3-DEV-1_amd64.deb 14 | 15 | rm *.deb 16 | ``` 17 | 18 | 配置 19 | 20 | ``` 21 | wget https://github.com/freedocs/binary/raw/master/http2/nghttpx-init -O /etc/init.d/nghttpx 22 | chmod +x /etc/init.d/nghttpx 23 | mkdir /var/log/nghttpx/ 24 | mkdir /etc/nghttpx 25 | wget https://github.com/freedocs/binary/raw/master/http2/nghttpx.conf.sample -O /etc/nghttpx/nghttpx.conf 26 | ``` 27 | 28 | 修改 `/etc/nghttpx/nghttpx.conf` 中的 `www.example.com` 为你的域名 29 | 30 | 31 | **2\. 安装配置 squid** 32 | 33 | ``` 34 | apt-get update 35 | apt-get install squid3 apache2-utils -y 36 | cd /etc/squid3/ 37 | mv squid.conf squid.conf.ori 38 | wget https://github.com/freedocs/binary/raw/master/http2/squid.conf.sample -O squid.conf 39 | ``` 40 | 41 | 添加 squid http 认证用户及密码 42 | 43 | ``` 44 | htpasswd -c /etc/squid3/password UserName 45 | ``` 46 | 47 | **3\. 运行服务** 48 | 49 | ``` 50 | service squid3 restart 51 | service nghttpx start 52 | ``` 53 | 54 | **4\. 设置开机启动** 55 | 56 | ``` 57 | update-rc.d nghttpx defaults 58 | ``` 59 | 60 | **一键脚本** 61 | 62 | ``` 63 | #!/bin/bash 64 | 65 | echo "Install nghttpx..." 66 | 67 | cd 68 | mkdir tmp 69 | cd tmp 70 | wget https://github.com/freedocs/binary/raw/master/http2/nghttp2_1.0.5-DEV-1_amd64.deb 71 | wget https://github.com/freedocs/binary/raw/master/http2/spdylay_1.3.3-DEV-1_amd64.deb 72 | 73 | dpkg -i nghttp2_1.0.5-DEV-1_amd64.deb 74 | dpkg -i spdylay_1.3.3-DEV-1_amd64.deb 75 | 76 | rm *.deb 77 | 78 | wget https://github.com/freedocs/binary/raw/master/http2/nghttpx-init -O /etc/init.d/nghttpx 79 | chmod +x /etc/init.d/nghttpx 80 | mkdir /var/log/nghttpx/ 81 | mkdir /etc/nghttpx 82 | wget https://github.com/freedocs/binary/raw/master/http2/nghttpx.conf.sample -O /etc/nghttpx/nghttpx.conf 83 | 84 | read -p "Input domain name: " DOMAIN 85 | 86 | sed -i "s/www.example.com/$DOMAIN/g" /etc/nghttpx/nghttpx.conf 87 | 88 | echo "Install squid3..." 89 | 90 | apt-get update 91 | apt-get install squid3 apache2-utils libev4 libjemalloc1 -y 92 | cd /etc/squid3/ 93 | mv squid.conf squid.conf.ori 94 | wget https://github.com/freedocs/binary/raw/master/http2/squid.conf.sample -O squid.conf 95 | 96 | read -p "Input http username: " USERNAME 97 | 98 | htpasswd -c /etc/squid3/password $USERNAME 99 | 100 | echo "start services..." 101 | 102 | service squid3 restart 103 | service nghttpx start 104 | 105 | update-rc.d nghttpx defaults 106 | 107 | echo "done." 108 | ``` 109 | -------------------------------------------------------------------------------- /搭建谷歌和维基百科反向代理.md: -------------------------------------------------------------------------------- 1 | 可以通过搭建反向代理的方式,访问 Google 搜索和维基百科。如访问 `https://so.example.com` 时会代理 Google,访问 `https://wiki.example.com` 时会代理维基百科。 2 | 3 | ## 系统环境 4 | 5 | ubuntu 16.04 64位, nginx, [ezgoo](https://github.com/Lafeng/ezgoo), supervisor 6 | 7 | ## 搭建 Google 反向代理 8 | 9 | **安装 ezgoo** 10 | 11 | 下载及安装, 参考 [ezgoo](https://github.com/Lafeng/ezgoo) 或者使用如下命令下载二进制文件 12 | 13 | ```shell 14 | mkdir /var/www/ezgoo 15 | cd /var/www/ezgoo 16 | wget https://github.com/freedocs/binary/raw/master/ezgoo/ezgoo.tar.gz 17 | tar xf ezgoo.tar.gz 18 | rm ezgoo.tar.gz 19 | ``` 20 | 21 | 运行测试 `./ezgoo -dir=dist` 22 | 23 | **使用 `supervisor` 管理服务** 24 | 25 | ```shell 26 | apt-get install supervisor 27 | service supervisor start 28 | update-rc.d supervisor enable 29 | ``` 30 | 31 | ```shell 32 | cd /etc/supervisor/conf.d 33 | wget https://raw.githubusercontent.com/freedocs/binary/master/ezgoo/supervisor/ezgoo.conf 34 | supervisorctl update 35 | ``` 36 | 37 | **配置 Nginx** 38 | 39 | 注意替换 `example.com` 为你的域名 40 | 41 | 需要签署证书的域名 `so.example.com` 42 | 43 | `vi /etc/nginx/sites-available/so.example.com` 44 | 45 | ```shell 46 | proxy_cache_path /var/cache/ggcc levels=1:2 keys_zone=ggcc:256m inactive=10d; 47 | 48 | server { 49 | listen 80; 50 | listen 443 ssl http2; 51 | server_name so.example.com; 52 | 53 | ssl_certificate certs/so.example.com/fullchain.pem; 54 | ssl_certificate_key certs/so.example.com/privkey.pem; 55 | 56 | access_log /var/log/nginx/$host.access.log; 57 | 58 | if ($ssl_protocol = "") { 59 | return 302 https://$http_host$request_uri; 60 | } 61 | 62 | location / { 63 | #auth_basic "Contact the web master for password"; 64 | #auth_basic_user_file .sopasswd; 65 | # using cache 66 | proxy_cache ggcc; # 前面定义的key_zone name 67 | proxy_cache_lock on; 68 | proxy_cache_key $host$uri; 69 | proxy_cache_valid 200 5d; 70 | proxy_cache_use_stale error timeout updating; 71 | 72 | # add cache status header 73 | add_header X-Cache $upstream_cache_status; 74 | 75 | # back-end 76 | # 下面的三个header非常重要 77 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 78 | proxy_set_header X-Forwarded-Proto https; 79 | proxy_set_header X-Forwarded-Host $http_host; 80 | proxy_http_version 1.1; 81 | proxy_redirect off; 82 | # Your AirGoo address:port 83 | proxy_pass http://127.0.0.1:18080; 84 | } 85 | } 86 | ``` 87 | 88 | ```shell 89 | cd /etc/nginx/sites-enabled 90 | ln -s ../sites-available/so.exmaple.com 91 | ``` 92 | 93 | 重启服务 `service nginx restart`,访问 `https://so.example.com` 测试。 94 | 95 | ## 搭建维基百科反向代理 96 | 97 | 注意需要 `nginx` 编译 `ngx_http_substitutions_filter_module` 模块 98 | 99 | 注意替换 `example.com` 为你的域名 100 | 101 | 需要签署证书的域名 `m-wiki.example.com` `up-wiki.example.com` `wiki.example.com` 102 | 103 | `vi /etc/nginx/sites-available/wiki.example.com` 104 | 105 | ```shell 106 | server { 107 | server_name wiki.example.com; 108 | listen 80; 109 | rewrite ^/(.*) https://$server_name/$1 permanent; 110 | } 111 | 112 | server { 113 | server_name wiki.example.com; 114 | listen 443 ssl; 115 | 116 | ssl_certificate certs/wiki.example.com/fullchain.pem; 117 | ssl_certificate_key certs/wiki.example.com/privkey.pem; 118 | 119 | location / { 120 | proxy_pass https://zh.wikipedia.org; 121 | proxy_buffering off; 122 | 123 | proxy_cookie_domain zh.wikipedia.org wiki.example.com; 124 | proxy_redirect https://zh.wikipedia.org/ /; 125 | proxy_redirect https://zh.m.wikipedia.org/ https://m-wiki.example.com/; 126 | 127 | proxy_set_header X-Real_IP $remote_addr; 128 | proxy_set_header User-Agent $http_user_agent; 129 | proxy_set_header Accept-Encoding ''; 130 | proxy_set_header referer "https://zh.wikipedia.org$request_uri"; 131 | 132 | subs_filter_types text/css text/xml text/javascript; 133 | subs_filter '维基百科' '维基百科镜像'; 134 | subs_filter zh.wikipedia.org wiki.example.com; 135 | subs_filter upload.wikimedia.org up-wiki.example.com; 136 | subs_filter zh.m.wikipedia.org m-wiki.example.com; 137 | } 138 | location https://zh.m.wikipedia.org/{ 139 | rewrite ^/(.*) https://m-wiki.example.com/$1 permanent; 140 | } 141 | } 142 | 143 | server { 144 | server_name m-wiki.example.com; 145 | listen 80; 146 | rewrite ^/(.*) https://$server_name/$1 permanent; 147 | } 148 | 149 | server { 150 | server_name m-wiki.example.com; 151 | listen 443 ssl; 152 | 153 | ssl_certificate certs/wiki.example.com/fullchain.pem; 154 | ssl_certificate_key certs/wiki.example.com/privkey.pem; 155 | 156 | location / { 157 | proxy_pass https://zh.m.wikipedia.org; 158 | proxy_buffering off; 159 | 160 | proxy_redirect https://zh.m.wikipedia.org/ /; 161 | proxy_cookie_domain zh.m.wikipedia.org m-wiki.example.com; 162 | 163 | proxy_set_header X-Real_IP $remote_addr; 164 | proxy_set_header User-Agent $http_user_agent; 165 | proxy_set_header Accept-Encoding ''; 166 | proxy_set_header referer "https://zh.m.wikipedia.org$request_uri"; 167 | 168 | subs_filter_types text/css text/xml text/javascript; 169 | subs_filter '维基百科' '维基百科镜像'; 170 | subs_filter zh.wikipedia.org wiki.example.com; 171 | subs_filter zh.m.wikipedia.org m-wiki.example.com; 172 | subs_filter upload.wikimedia.org up-wiki.example.com; 173 | } 174 | } 175 | 176 | server { 177 | server_name up-wiki.example.com; 178 | listen 80; 179 | rewrite ^/(.*) https://$server_name/$1 permanent; 180 | } 181 | 182 | server { 183 | server_name up-wiki.example.com; 184 | listen 443 ssl; 185 | 186 | ssl_certificate certs/wiki.example.com/fullchain.pem; 187 | ssl_certificate_key certs/wiki.example.com/privkey.pem; 188 | 189 | location / { 190 | proxy_pass https://upload.wikimedia.org; 191 | proxy_cookie_domain upload.wikimedia.org up-wiki.example.com; 192 | proxy_buffering off; 193 | proxy_set_header X-Real_IP $remote_addr; 194 | proxy_set_header User-Agent $http_user_agent; 195 | proxy_set_header referer "https://upload.wikimedia.org$request_uri"; 196 | } 197 | } 198 | ``` 199 | 200 | ```shell 201 | cd /etc/nginx/sites-enabled 202 | ln -s ../sites-available/wiki.exmaple.com 203 | ``` 204 | 205 | 重启服务 `service nginx restart`,访问 `https://wiki.example.com` 测试效果 206 | -------------------------------------------------------------------------------- /缩小kvm磁盘分区.md: -------------------------------------------------------------------------------- 1 | # 缩小 kvm 磁盘分区 2 | 3 | 磁盘分区比较大,随着kvm系统的使用,虽然可用空间没有减少,但是文件读写后会留下痕迹而不断占用硬盘空间。 4 | 5 | 所以将磁盘分区调整到一个较小的范围,可以很大的减少硬盘占用,同时也能减少维护、备份等操作的时间。 6 | 7 | **系统环境** 8 | 9 | ``` 10 | archlinux, libvirt 11 | ``` 12 | 13 | **安装 kpartx** 14 | 15 | ``` 16 | su user 17 | git clone https://aur.archlinux.org/multipath-tools.git 18 | cd multipath-tools 19 | 20 | makepkg -si 21 | ``` 22 | 23 | **将磁盘文件转为 raw 格式** 24 | 25 | ``` 26 | virsh destroy builder 27 | qemu-img convert -O raw builder.img builder.raw 28 | ``` 29 | 30 | ## 调整 lvm 格式的逻辑分区 31 | 32 | **查看分区信息** 33 | 34 | ``` 35 | fdisk -l builder.raw 36 | 37 | Disk builder.raw: 80 GiB, 85899345920 bytes, 167772160 sectors 38 | Units: sectors of 1 * 512 = 512 bytes 39 | Sector size (logical/physical): 512 bytes / 512 bytes 40 | I/O size (minimum/optimal): 512 bytes / 512 bytes 41 | Disklabel type: dos 42 | Disk identifier: 0x69d905f3 43 | 44 | Device Boot Start End Sectors Size Id Type 45 | builder.raw1 * 2048 999423 997376 487M 83 Linux 46 | builder.raw2 1001470 167770111 166768642 79.5G 5 Extended 47 | builder.raw5 1001472 167770111 166768640 79.5G 8e Linux LVM 48 | ``` 49 | 50 | ``` 51 | parted builder.raw 52 | 53 | GNU Parted 3.2 54 | Using /home/libvirt/images/builder.raw 55 | Welcome to GNU Parted! Type 'help' to view a list of commands. 56 | (parted) print 57 | Model: (file) 58 | Disk /home/libvirt/images/builder.raw: 85.9GB 59 | Sector size (logical/physical): 512B/512B 60 | Partition Table: msdos 61 | Disk Flags: 62 | 63 | Number Start End Size Type File system Flags 64 | 1 1049kB 512MB 511MB primary ext2 boot 65 | 2 513MB 85.9GB 85.4GB extended 66 | 5 513MB 85.9GB 85.4GB logical lvm 67 | ``` 68 | 69 | 可以看出 builder.raw 硬盘镜像是总共有 80GB(85.9GB) 的空间,分为三个分区, 487M(512M) 的 boot 主分区1,79.5G(85.4GB) 扩展分区2, 79.5G(85.4GB) 逻辑分区5。 70 | 71 | 我们的目标是调整 builder.raw 硬盘镜像到 10GB 空间。由于含有 boot 分区占用487M空间,所以最后的扩展分区2约为 9.5G。 72 | 73 | lvm 文件系统直接作用在扩展分区2上,所以后续的 lvresize 等调整都会使用约 10G-487M 的大小而不是 10G。 74 | 75 | **挂载分区** 76 | 77 | ``` 78 | kpartx -av builder.raw 79 | 80 | #dmsetup remove builder--vg-root 81 | #dmsetup remove builder--vg-swap_1 82 | ``` 83 | 84 | ``` 85 | dmsetup ls 86 | 87 | builder--vg-root (254:3) 88 | builder--vg-swap_1 (254:4) 89 | loop1p5 (254:2) 90 | loop1p2 (254:1) 91 | loop1p1 (254:0) 92 | ``` 93 | 94 | 可以看出 lvm 中有两个分区 `builder--vg-root` 和 `builder--vg-swap_1`。 整理后我们不需要 `swap` 分区,可以在完成后使用 `swap` 文件替代。 95 | 96 | 检查分区错误 97 | 98 | ``` 99 | e2fsck -fy /dev/mapper/loop1p1 100 | e2fsck -fy /dev/mapper/builder--vg-root 101 | ``` 102 | 103 | **调整 lvm 分区** 104 | 105 | ``` 106 | lvdisplay 107 | --- Logical volume --- 108 | LV Path /dev/builder-vg/root 109 | LV Name root 110 | VG Name builder-vg 111 | LV UUID NHlDej-hJQr-AT3T-q7fY-RqdO-Fig1-DGmsdn 112 | LV Write Access read/write 113 | LV Creation host, time builder, 2016-10-09 11:25:55 +0200 114 | LV Status available 115 | # open 0 116 | LV Size 71.52 GiB 117 | Current LE 18309 118 | Segments 1 119 | Allocation inherit 120 | Read ahead sectors auto 121 | - currently set to 256 122 | Block device 254:3 123 | 124 | --- Logical volume --- 125 | LV Path /dev/builder-vg/swap_1 126 | LV Name swap_1 127 | VG Name builder-vg 128 | LV UUID ptA94e-ms1T-5Q8s-qdcn-9GKy-DX4S-5Lx23T 129 | LV Write Access read/write 130 | LV Creation host, time builder, 2016-10-09 11:25:55 +0200 131 | LV Status available 132 | # open 0 133 | LV Size 8.00 GiB 134 | Current LE 2048 135 | Segments 1 136 | Allocation inherit 137 | Read ahead sectors auto 138 | - currently set to 256 139 | Block device 254:4 140 | 141 | ``` 142 | 删除 `swap` 分区 143 | 144 | ``` 145 | lvremove /dev/builder-vg/swap_1 146 | ``` 147 | 148 | 查看硬盘内容实际占用的空间 149 | 150 | ``` 151 | qemu-img info builder.raw 152 | 153 | image: builder.raw 154 | file format: raw 155 | virtual size: 80G (85899345920 bytes) 156 | disk size: 7.6G 157 | ``` 158 | 159 | 可以看到只占用了 7.6G 160 | 161 | 162 | 缩小 `/dev/mapper/builder--vg-root`,注意 `resize2fs` 时不要小于实际占用的空间。 163 | 164 | ``` 165 | resize2fs /dev/mapper/builder--vg-root 8G 166 | ``` 167 | 168 | 缩小 lv 分区到 `10G-487M=9.5G` 169 | 170 | ``` 171 | lvreduce -L 9.5G /dev/builder-vg/root 172 | e2fsck -fy /dev/mapper/builder--vg-root 173 | resize2fs /dev/mapper/builder--vg-root 174 | ``` 175 | 176 | ``` 177 | lvdisplay 178 | vgdisplay 179 | pvdisplay 180 | ``` 181 | 182 | 注意删除 swap 分区后,可以挂载文件系统并修改 fstab 文件 183 | 184 | ``` 185 | mount /dev/builder-vg/root /mnt 186 | vi /mnt/etc/fstab 187 | ``` 188 | 189 | ``` 190 | #/dev/mapper/builder--vg-swap_1 none 191 | ``` 192 | 193 | ``` 194 | umount /mnt 195 | ``` 196 | 197 | **调整扩展分区** 198 | 199 | ``` 200 | dmsetup remove /dev/mapper/builder--vg-root 201 | kpartx -d builder.raw 202 | 203 | parted builder.raw 204 | ``` 205 | 206 | 目标镜像文件为 `10GB` 即 `10*1024*1024*1024`, parted 是以 `10^3` 为单位的,所以目标为 `10*1024*1024*1024/1000/1000/1000 = 10.73741824 GB = 10.73GB`。 207 | 208 | 注意这里取小一些,留几M空闲空间保证安全。 209 | 210 | ``` 211 | GNU Parted 3.2 212 | Using /home/libvirt/images/builder.raw 213 | Welcome to GNU Parted! Type 'help' to view a list of commands. 214 | (parted) print 215 | Model: (file) 216 | Disk /home/libvirt/images/builder.raw: 85.9GB 217 | Sector size (logical/physical): 512B/512B 218 | Partition Table: msdos 219 | Disk Flags: 220 | 221 | Number Start End Size Type File system Flags 222 | 1 1049kB 512MB 511MB primary ext2 boot 223 | 2 513MB 85.9GB 85.4GB extended 224 | 5 513MB 85.9GB 85.4GB logical lvm 225 | 226 | (parted) resizepart 5 227 | End? [85.9GB]? 10.73GB 228 | Warning: Shrinking a partition can cause data loss, are you sure you want to 229 | continue? 230 | Yes/No? yes 231 | (parted) print 232 | Model: (file) 233 | Disk /home/libvirt/images/builder.raw: 85.9GB 234 | Sector size (logical/physical): 512B/512B 235 | Partition Table: msdos 236 | Disk Flags: 237 | 238 | Number Start End Size Type File system Flags 239 | 1 1049kB 512MB 511MB primary ext2 boot 240 | 2 513MB 85.9GB 85.4GB extended 241 | 5 513MB 10.7GB 10.2GB logical lvm 242 | 243 | (parted) resizepart 2 10.73GB 244 | Warning: Shrinking a partition can cause data loss, are you sure you want to 245 | continue? 246 | Yes/No? yes 247 | (parted) print 248 | Model: (file) 249 | Disk /home/libvirt/images/builder.raw: 85.9GB 250 | Sector size (logical/physical): 512B/512B 251 | Partition Table: msdos 252 | Disk Flags: 253 | 254 | Number Start End Size Type File system Flags 255 | 1 1049kB 512MB 511MB primary ext2 boot 256 | 2 513MB 10.7GB 10.2GB extended 257 | 5 513MB 10.7GB 10.2GB logical lvm 258 | 259 | (parted) quit 260 | ``` 261 | 262 | **调整物理卷大小** 263 | 264 | 首先确认需要分配的空间大小 265 | 266 | ``` 267 | kpartx -av builder.raw 268 | pvs -v --segments /dev/mapper/loop1p5 269 | ``` 270 | 271 | ``` 272 | Wiping internal VG cache 273 | Wiping cache of LVM-capable devices 274 | WARNING: Device /dev/mapper/loop1p5 has size of 19955560 sectors which is smaller than corresponding PV size of 166768640 sectors. Was device resized? 275 | One or more devices used as PVs in VG builder-vg have changed sizes. 276 | PV VG Fmt Attr PSize PFree Start SSize LV Start Type PE Ranges 277 | /dev/mapper/loop1p5 builder-vg lvm2 a-- 79.52g 70.02g 0 2432 root 0 linear /dev/mapper/loop1p5:0-2431 278 | /dev/mapper/loop1p5 builder-vg lvm2 a-- 79.52g 70.02g 2432 17925 0 free 279 | ``` 280 | 281 | 可以看出需要 `2432*4M = 9728M` 282 | 283 | ``` 284 | #pvresize --setphysicalvolumesize 9728M /dev/mapper/loop1p5 285 | pvresize /dev/mapper/loop1p5 286 | ``` 287 | 288 | ``` 289 | e2fsck -fy /dev/mapper/builder--vg-root 290 | 291 | dmsetup remove /dev/mapper/builder--vg-root 292 | kpartx -d builder.raw 293 | ``` 294 | 295 | **调整镜像文件大小** 296 | 297 | ``` 298 | qemu-img resize builder.raw 10G 299 | ``` 300 | 301 | 这样缩小 kvm 镜像文件就完成了。 302 | 303 | 304 | **转换镜像格式** 305 | 306 | ``` 307 | qemu-img convert -O qcow2 builder.raw builder.qcow2 308 | ``` 309 | 310 | 之后备份 `builder.img`, 将 `builder.qcow2` 替换为原来的 `builder.img` 文件, 启动 kvm 虚拟机,登陆虚拟机后使用 `df -h` `blkid` 等命令检查分区状态。 311 | 312 | ``` 313 | virsh start builder 314 | ``` 315 | 316 | ## 调整普通分区 317 | 318 | ``` 319 | fdisk -l ubuntu.raw 320 | Disk ubuntu.raw: 30 GiB, 32212254720 bytes, 62914560 sectors 321 | Units: sectors of 1 * 512 = 512 bytes 322 | Sector size (logical/physical): 512 bytes / 512 bytes 323 | I/O size (minimum/optimal): 512 bytes / 512 bytes 324 | Disklabel type: dos 325 | Disk identifier: 0x4708a4ce 326 | 327 | Device Boot Start End Sectors Size Id Type 328 | ubuntu.raw1 * 2048 60817407 60815360 29G 83 Linux 329 | ubuntu.raw2 60819454 62912511 2093058 1022M 5 Extended 330 | ubuntu.raw5 60819456 62912511 2093056 1022M 82 Linux swap / Solaris 331 | ``` 332 | 333 | 下面操作将移除 swap 分区和扩展分区,调整主分区为合适的大小 334 | 335 | **挂载文件系统并修改 fstab** 336 | 337 | ``` 338 | mount /dev/mapper/loop0p1 /mnt 339 | ``` 340 | 341 | 注释掉 swap 分区,可以在完成后以 swap 文件的形式挂载 342 | 343 | ``` 344 | vi /mnt/etc/fstab 345 | 346 | #UUID=95a9913e-06d2-4bd1-90eb-d1d63a00a853 none swap sw 347 | ``` 348 | 349 | 对文件系统做清零的操作 350 | 351 | ``` 352 | dd if=/dev/zero of=/mnt/test.file bs=1M 353 | rm /mnt/test.file 354 | sync 355 | ``` 356 | 357 | 检查需要分配的空间,可以看出只需要分配 10G 就可以满足需求了 358 | 359 | ``` 360 | df -h 361 | /dev/mapper/loop0p1 29G 6.4G 21G 24% /mnt 362 | ``` 363 | 364 | 卸载分区 365 | 366 | ``` 367 | umount /mnt 368 | ``` 369 | 370 | **调整分区** 371 | 372 | 首先检查文件系统,再通过 `resize2fs` 将文件系统内容转移。 373 | 374 | ``` 375 | e2fsck -f /dev/mapper/loop0p1 376 | resize2fs /dev/mapper/loop0p1 9G 377 | ``` 378 | 379 | 使用 `parted` 命令调整分区结构, 注意 `parted` 是以 `10^3` 为进位单位,所以调整分区时 10GB 输入为 10.73GB (10*1024*1024*1024/1000/1000/1000)。注意可以取稍微小一些。 380 | 381 | ``` 382 | kpartx -d ubuntu.raw 383 | parted ubuntu.raw 384 | ``` 385 | 386 | ``` 387 | (parted) print 388 | Model: (file) 389 | Disk /home/libvirt/images/ubuntu.raw: 32.2GB 390 | Sector size (logical/physical): 512B/512B 391 | Partition Table: msdos 392 | Disk Flags: 393 | 394 | Number Start End Size Type File system Flags 395 | 1 1049kB 31.1GB 31.1GB primary ext4 boot 396 | 2 31.1GB 32.2GB 1072MB extended 397 | 5 31.1GB 32.2GB 1072MB logical linux-swap(v1) 398 | 399 | (parted) rm 2 400 | (parted) print 401 | Model: (file) 402 | Disk /home/libvirt/images/ubuntu.raw: 32.2GB 403 | Sector size (logical/physical): 512B/512B 404 | Partition Table: msdos 405 | Disk Flags: 406 | 407 | Number Start End Size Type File system Flags 408 | 1 1049kB 31.1GB 31.1GB primary ext4 boot 409 | 410 | (parted) resizepart 1 10.73GB 411 | Warning: Shrinking a partition can cause data loss, are you sure you want to 412 | continue? 413 | Yes/No? yes 414 | (parted) print 415 | Model: (file) 416 | Disk /home/libvirt/images/ubuntu.raw: 32.2GB 417 | Sector size (logical/physical): 512B/512B 418 | Partition Table: msdos 419 | Disk Flags: 420 | 421 | Number Start End Size Type File system Flags 422 | 1 1049kB 10.7GB 10.7GB primary ext4 boot 423 | ``` 424 | 425 | 查看分区状态 426 | 427 | ``` 428 | fdisk -l ubuntu.raw 429 | 430 | kpartx -av ubuntu.raw 431 | 432 | e2fsck -f /dev/mapper/loop0p1 433 | ``` 434 | 435 | **调整镜像文件大小** 436 | 437 | ``` 438 | qemu-img resize ubuntu.raw 10G 439 | 440 | kpartx -d ubuntu.raw 441 | kpartx -av ubuntu.raw 442 | e2fsck -f /dev/mapper/loop0p1 443 | ``` 444 | 445 | **转换镜像格式** 446 | 447 | ``` 448 | kpartx -d ubuntu.raw 449 | qemu-img convert -O qcow2 ubuntu.raw ubuntu.qcow2 450 | ``` 451 | 452 | 最后的 `qcow2` 文件就是缩小分区后的镜像文件,备份原始镜像后,重命名并启动 kvm 虚拟机测试是否一切正常。 453 | 454 | ``` 455 | mkdir backup 456 | 457 | mv ubuntu.img backup 458 | mv ubuntu.raw backup 459 | mv ubuntu.qcow2 ubuntu.img 460 | 461 | virsh start ubuntu 462 | ``` 463 | -------------------------------------------------------------------------------- /通过haproxy为http,ss监听同一端口.md: -------------------------------------------------------------------------------- 1 | 通过haproxy对流量类型判断,监听同一个端口(80)并根据流量类型选择不同的backend. 由于 `https` 是加密流量,且 `wss` 不能被很好的支持,所以不建议使用 443 端口配置多监听。 2 | 当然您也可以使用诸如 sslh(https://github.com/yrutschle/sslh) 这种应用协议多路转换器进行端口复用。 3 | ## 1\. nginx http 监听到 127.0.0.1 4 | 5 | ```shell 6 | listen 127.0.0.1:80; 7 | ``` 8 | 9 | ## 2\. 安装 haproxy 1.5 10 | 11 | ```shell 12 | apt-get install software-properties-common 13 | add-apt-repository ppa:vbernat/haproxy-1.5 14 | apt-get update 15 | apt-get install haproxy 16 | ``` 17 | 18 | ## 2\. haproxy 配置参数 19 | 20 | `vi /etc/haproxy/haproxy.cfg` 21 | 22 | ```shell 23 | global 24 | ulimit-n 51200 25 | log /dev/log local0 info 26 | log /dev/log local1 notice 27 | chroot /var/lib/haproxy 28 | 29 | defaults 30 | log global 31 | mode tcp 32 | option dontlognull 33 | timeout connect 1000 34 | timeout client 150000 35 | timeout server 150000 36 | 37 | listen multi-server 38 | bind x.x.x.x:80 39 | tcp-request inspect-delay 2s 40 | tcp-request content accept if HTTP 41 | #acl is_ssl req_ssl_ver 2:3.1 42 | 43 | use_backend http if HTTP 44 | use_backend ss if !HTTP 45 | 46 | backend http 47 | mode http 48 | option forwardfor header Client-IP 49 | option http-server-close 50 | server nginx 127.0.0.1:80 51 | 52 | backend ss 53 | server server-ss :8080 maxconn 20480 54 | ``` 55 | 56 | `x.x.x.x` 为服务器公网ip, 当请求为 `http` 时会转到 nginx 监听的 `127.0.0.1:80` 建立连接,否则会连接到本地的 `8080` 端口 57 | 配置完成后 `haproxy` 会打log到 `/var/log/haproxy.log` 58 | 59 | --------------------------------------------------------------------------------