深圳全国网站制作哪个好,保定做网站百度推广,可以在线做c语言的网站,国外网站 图片前言#xff1a;
3 月份买的腾讯云的这台 VPS#xff0c;刚发现现在退款#xff0c;只能返回 0 元。测试应用已经迁移到JD#xff0c;清除内容太麻烦#xff0c;重装更简单。
因为配合政策#xff0c;国内的云主机都有两个 IP 地址#xff0c;一个内网#xff0c;一个…前言
3 月份买的腾讯云的这台 VPS刚发现现在退款只能返回 0 元。测试应用已经迁移到JD清除内容太麻烦重装更简单。
因为配合政策国内的云主机都有两个 IP 地址一个内网一个外网中心有防火墙来监控数据安全。各个云供应商也会有自己的预安装的服务用来监控主机以配合ZF的监控制度。 环境
OSUbuntu 24
主机公/私网各一个IP
防火墙云提供
FQDN: bjt.daven.us 配置过程
1.更换 apt 源
# 备份当前的
rm /etc/apt/sources.list.d/ubuntu.sources# 替换tee /etc/apt/sources.list.d/ubuntu.sources /dev/null EOF
Types: deb
URIs: https://mirrors.tuna.tsinghua.edu.cn/ubuntu/
Suites: noble noble-updates noble-backports
Components: main restricted universe multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpgTypes: deb
URIs: https://mirrors.tuna.tsinghua.edu.cn/ubuntu/
Suites: noble-security
Components: main restricted universe multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
EOF# 清缓存
rm -rf /var/lib/apt/lists/*
rm -rf /var/lib/swcatalog/yaml/*# 更新列表
apt update 2.清理无用的预安装软件
apt remove --purge qcloud-*
rm -rf /usr/local/qcloud/
apt remove --purge modemmanager
apt remove --purge udisks2
apt remove --purge policykit-1
apt remove --purge multipath-tools
systemctl disable networkd-dispatcher
apt remove --purge networkd-dispatcher
systemctl disable unattended-upgrades
apt remove --purge unattended-upgrades
systemctl disable fwupd.service
systemctl disable packagekit.service
systemctl disable polkit.service
systemctl disable upower.service
apt remove --purge fwupd packagekit policykit-1 upower
sudo apt autoremove
sudo apt autoclean
腾讯云部分
sudo rm -f /etc/cron.d/yunjing
sudo rm -f /var/lib/apt/lists/mirrors.tencentyun.com_*
sudo rm -f /var/lib/swcatalog/yaml/mirrors.tencentyun.com_* 3.添加主机名
vi /etc/hostname bjt vi /etc/hosts 127.0.1.1 bjt.daven.us bjt 127.0.0.1 localhost bjt ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts 4.升级软件包OS
apt update
apt upgrade
apt purge
apt install update-manager-core
sudo do-release-upgrade 5.SSH 配置
vi /etc/ssh/sshd_config Port 9922 Protocol 2 AddressFamily any HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key SyslogFacility AUTH LogLevel INFO PermitRootLogin yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no UsePAM yes X11Forwarding no PrintMotd no ClientAliveInterval 300 ClientAliveCountMax 2 MaxAuthTries 3 MaxSessions 3 PermitUserEnvironment no StrictModes yes IgnoreRhosts yes HostbasedAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials yes AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server systemctl daemon-reload
systemctl restart ssh 6. 替换主机密钥 Host Keys
rm /etc/ssh/ssh_host_*_key*ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key
ssh-keygen -t ecdsa -b 521 -f /etc/ssh/ssh_host_ecdsa_key
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key
ssh-keygen -t dsa -b 1024 -f /etc/ssh/ssh_host_dsa_keyll /etc/ssh/ 7.设置主机时区
timedatectl set-timezone Asia/Shanghai
重启主机注意 SSH: 22 - 9922 8. ACMC 申请 SSL
1) 安装 nignx
apt install nginx git uuid-runtime
2) ACMC 获取 SSL
git clone https://gitee.com/neilpang/acme.sh.git
cd acme.sh
source ~/.bashrc
~/.acme.sh/acme.sh --register-account -m davedaven.us
~/.acme.sh/acme.sh --set-default-ca --server letsencrypt
# 已经存在
#~/.acme.sh/acme.sh --renew -d bjt.daven.us --yes-I-know-dns-manual-mode-enough-go-ahead-please
# 新域名
~/.acme.sh/acme.sh --issue -d bjt.daven.us --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please 修改 TXT 记录再运行上面命令 并添加 --renew
~/.acme.sh/acme.sh --issue -d bjt.daven.us --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please --renew 9.配置 nginx 来使用 SSL
vi /etc/nginx/sites-available/bjt.daven.us server { listen 7033 ssl http2; listen [::]:7033 ssl http2; server_name bjt.daven.us; # 更新为acme.sh安装的证书路径 ssl_certificate /etc/letsencrypt/cert/bjt.daven.us/fullchain.pem; ssl_certificate_key /etc/letsencrypt/cert/bjt.daven.us/privkey.pem; # 添加SSL安全配置 ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; location /ray { proxy_redirect off; proxy_pass http://127.0.0.1:10000; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } # 可选如果需要HTTP重定向到HTTPS #server { # listen 80; # listen [::]:80; # server_name bjt.daven.us; # return 301 https://$host:6033$request_uri; #} 10. ufw 配置
systemctl enable ufw
sudo ufw enable
ufw allow 9922/tcp
ufw allow 9017/udp
ufw allow 443/tcp
ufw allow 80/tcp
ufw allow 9090/tcp
ufw allow 7033/tcp
vi /etc/default/ufw
# 找到并把 DROP 改为 ACCEPT
DEFAULT_FORWARD_POLICYACCEPT
sudo ufw reload
