山高疑日近,海阔觉天低

安全上网

  • BBR
  1. 传说中的BBR我相信,你在搜索各种科学上网技术的时候,肯定不止一次的听过bbr这个东西,在各种博客添油加醋之下,让人觉得它神乎其神。更有bbrplus, bbr2, 魔改bbr 等一大堆衍生品。仿佛神油一般,用了就能野鸡线路变专线。那么,这东西究竟是什么?它有没有用?又该用哪一个版本呢?
  2. 实际的BBR = Bottleneck Bandwidth and Round-trip propagation time,是一种TCP的拥塞控制算法。简单粗暴的理解就是数据流量的交通管理:当公路不再塞车的时候,每辆车自然就能保持较快的车速了。那么它有没有用呢?一般而言,有BBR 和 没有BBR 会有可以感知的差别(速度、稳定性、延迟方面都会有一些改善),所以 【非常建议开启 BBR】。但开启之后,BBR 在 4.x和5.x之间的差异往往比较微妙、见仁见智,造成体验差别的决定性因素仍然是线路质量。所以 【不必纠结版本、不必盲目追新、跟随你的发行版更新内核即可】
  3. bbrplus, bbr2, 魔改bbr和其他各种听起来就酷炫的版本是不是更好?一句话:不是!不要用这些!这些都为了吸引眼球乱起的名字!BBR 的更新和发布,都是跟随Linux的内核(Kernel)进行的。换言之,只要你用的是比较新的内核,就自然会使用到新版BBR。而这些名字看起来很酷炫的东西,说白了就是仍未正式发布的、尚在测试阶段的内核及其对应的BBR版本。这些脚本也仅仅就是通过下载预览版的内核(甚至第三方魔改内核)来率先开启而已。内核的稳定是一台服务器稳定运行的基石。【BBR测试版带来的细微性能差异绝对不值得更换不稳定的内核。】 请选择你所在的Linux发行版所支持的最新内核,这样可以最大限度的保持服务器的长期稳定和兼容。
  4. fq, fq_codel, fq_pie, cake和其他算法哪个好?一句话:看不懂的话,请保持fq,足够、且不会劣化你的线路安装elrepo并升级内核
    rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
    rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm
    yum --enablerepo=elrepo-kernel install kernel-ml -y

    如果安装成功的话,您应该会看到 kernel-ml-*-1.el7.elrepo.x86_64 出现在结果列表中:

    kernel-ml-4.9.0-1.el7.elrepo.x86_64
    kernel-3.10.0-514.el7.x86_64
    kernel-3.10.0-514.2.2.el7.x86_64

    现在您需要通过设置默认 grub2 引导来启用 4.9.0+ 内核。
    查看所有 grub2 列表

    egrep ^menuentry /etc/grub2.cfg | cut -f 2 -d \'  
    //or
    awk -F\' '$1=="menuentry " {print i++ " : " $2}' /etc/grub2.cfg

    结果应该是这样的:

    CentOS Linux (5.12.10-1.el7.elrepo.x86_64) 7 (Core)
    CentOS Linux (3.10.0-1160.31.1.el7.x86_64) 7 (Core)
    CentOS Linux (3.10.0-1062.1.1.el7.x86_64) 7 (Core)
    CentOS Linux (0-rescue-96820b9851c24560b5f942f2496b9aeb) 7 (Core);
    

    索引开始于 0。这意味着系统 5.12 位于”0″

    grub2-set-default 0

    设置bbr算法为fq:

    vi /etc/sysctl.conf

    添加如下内容:

    net.core.default_qdisc = fq
    net.ipv4.tcp_congestion_control = bbr
    net.ipv6.conf.all.disable_ipv6 = 1 //禁用ipv6
  5. 加载系统参数sysctl -p(正常情况下会输出我们之前加入的内容)
    验证bbr是否已经开启,输入sysctl net.ipv4.tcp_available_congestion_control
    如果返回:

    net.ipv4.tcp_available_congestion_control = reno cubic bbr

    则安装成功
    输入lsmod | grep bbr如果返回

    tcp_bbr                20480  2

    则安装成功

  • Xray
  1. Xray资料
    https://xtls.github.io/  //说明文档
    https://github.com/XTLS/Xray-core  //代码位置
    https://github.com/2dust/v2rayNG/releases //V2rayNG
    https://github.com/wulabing/Xray_onekey //一键脚本
  2. Xray文件位置
    /usr/local/etc/xray/config.json Xray程序设置 《Xray服务器篇》
    /etc/ssl/xray/cert.pem TLS证书 《Xray服务器篇》
    /etc/ssl/xray/privkey.key TLS私钥 《Xray服务器篇》
    installed: /etc/systemd/system/xray.service
    installed: /etc/systemd/system/xray@.service
    installed: /usr/local/bin/xray
    installed: /usr/local/etc/xray/*.json
    installed: /usr/local/share/xray/geoip.dat
    installed: /usr/local/share/xray/geosite.dat
    installed: /var/log/xray/access.log
    installed: /var/log/xray/error.log
  3. Xray服务器配置
    {
      "log": {
        "access": "/var/log/xray/access.log",
        "error": "/var/log/xray/error.log",
        "loglevel": "warning"
      },
      "inbounds": [
        {
          "port": 443,
          "protocol": "vless",
          "settings": {
            "clients": [
              {
                "id": "*",
                "flow": "xtls-rprx-direct"
              }
            ],
            "decryption": "none",
            "fallbacks": [
              {
                "dest": 60000,
                "alpn": "",
                "xver": 1
              },
              {
                "dest": 60001,
                "alpn": "h2",
                "xver": 1
              }
            ]
          },
          "streamSettings": {
            "network": "tcp",
            "security": "xtls",
            "xtlsSettings": {
              "minVersion": "1.2",
              "certificates": [
                {
                  "certificateFile": "/etc/ssl/xray/cert.pem",
                  "keyFile": "/etc/ssl/xray/privkey.key"
                }
              ]
            }
          }
          
        }
      ],
      "outbounds": [
        {
          "protocol": "freedom"
        }
      ]
    }
  4. 申请泛证书
    腾讯DNSPod https://console.dnspod.cn/ 获得ID与Key

    curl https://get.acme.sh | sh
    source ~/.bashrc
    export DP_Id="*"
    export DP_Key="*"
    acme.sh --register-account -m *@gmail.com
    acme.sh --issue --dns dns_dp -d 861205.xyz -d *.861205.xyz
    acme.sh --install-cert -d 861205.xyz --fullchain-file /etc/ssl/xray/cert.pem --key-file /etc/ssl/xray/privkey.key
    下面是自动更新脚本
    #!/bin/bash
    systemctl stop nginx xray
    /root/.acme.sh/acme.sh --issue --dns dns_dp -d 861205.xyz -d *.861205.xyz
    /root/.acme.sh/acme.sh --install-cert -d 861205.xyz --fullchain-file /etc/ssl/xray/cert.pem --key-file /etc/ssl/xray/privkey.key
    systemctl start nginx xray
  5. Nginx配置 Xray做为前端分流 启动fpm解析器:systemctl enable php-fpm
    # Upstream to abstract backend connection(s) for php
    upstream php {
    #        server unix:/tmp/php-cgi.socket;
            server 127.0.0.1:9000;
    }
    server
    {
        listen 80;
        server_name 861205.xyz;
        return 301 https://$http_host$request_uri;
        access_log  /dev/null;
        error_log  /dev/null;
    }
    server
    {
     #   set_real_ip_from 127.0.0.1;
     #   real_ip_header proxy_protocol;
        listen 127.0.0.1:60000 proxy_protocol;
        listen 127.0.0.1:60001   http2  proxy_protocol;
        server_name localhost;
        root /var/www/wordpress;
        index index.php;
        gzip on;
        gzip_vary on;
        gzip_comp_level 4;
        gzip_min_length 256;
        gzip_proxied any;
        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
    
    
        # indicate locations of SSL key files.
    #    ssl_certificate /etc/ssl/xray/cert.pem;
    #    ssl_certificate_key /etc/ssl/xray/privkey.key;
    
     
        # Enable HSTS. This forces SSL on clients that respect it, most modern browsers. The includeSubDomains flag is optional.
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
        location = /favicon.ico {
            log_not_found off;
            access_log off;
        }
        location = /robots.txt {
            allow all;
            log_not_found off;
            access_log off;
        }
        location / {
            # This is cool because no php is touched for static content.
            # include the "?$args" part so non-default permalinks doesn't break when using query string
            try_files $uri $uri/ /index.php?$args;
        }
        location ~ \.php$ {
            #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
            include fastcgi_params;
            fastcgi_intercept_errors on;
            fastcgi_pass php;
            #if no follwing set web is wrong
            fastcgi_param HTTPS on;
            #The following parameter can be also included in fastcgi_params file
            fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        }
        location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
            expires max;
            log_not_found off;
        }
        # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
        # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
        location ~ /\. {
            deny all;
        }
        # Deny access to any files with a .php extension in the uploads directory
        # Works in sub-directory installs and also in multisite network
        # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
        location ~* /(?:uploads|files)/.*\.php$ {
            deny all;
        }
    }
    
  6. Nginx 的NextCloud服务器配置 参考连接
    upstream php-handler {
        server 127.0.0.1:9000;
        #server unix:/var/run/php/php7.4-fpm.sock;
    }
    server {
        listen 127.0.0.1:60002 proxy_protocol;
        listen 127.0.0.1:60003 http2 proxy_protocol;
        server_name nc.861205.xyz;
        # HSTS settings
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    
        # set max upload size
        client_max_body_size 512M;
        fastcgi_buffers 64 4K;
    
        # Enable gzip but do not remove ETag headers
        gzip on;
        gzip_vary on;
        gzip_comp_level 4;
        gzip_min_length 256;
        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
    
        # Pagespeed is not supported by Nextcloud, so if your server is built
        # with the `ngx_pagespeed` module, uncomment this line to disable it.
        #pagespeed off;
    
        # HTTP response headers borrowed from Nextcloud `.htaccess`
        add_header Referrer-Policy                      "no-referrer"   always;
        add_header X-Content-Type-Options               "nosniff"       always;
        add_header X-Download-Options                   "noopen"        always;
        add_header X-Frame-Options                      "SAMEORIGIN"    always;
        add_header X-Permitted-Cross-Domain-Policies    "none"          always;
        add_header X-Robots-Tag                         "none"          always;
        add_header X-XSS-Protection                     "1; mode=block" always;
    
        # Remove X-Powered-By, which is an information leak
        fastcgi_hide_header X-Powered-By;
    
        # Path to the root of your installation
        root /var/www/nextcloud;
    
        # Specify how to handle directories -- specifying `/index.php$request_uri`
        # here as the fallback means that Nginx always exhibits the desired behaviour
        # when a client requests a path that corresponds to a directory that exists
        # on the server. In particular, if that directory contains an index.php file,
        # that file is correctly served; if it doesn't, then the request is passed to
        # the front-end controller. This consistent behaviour means that we don't need
        # to specify custom rules for certain paths (e.g. images and other assets,
        # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
        # `try_files $uri $uri/ /index.php$request_uri`
        # always provides the desired behaviour.
        index index.php index.html /index.php$request_uri;
    
        # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
        location = / {
            if ( $http_user_agent ~ ^DavClnt ) {
                return 302 /remote.php/webdav/$is_args$args;
            }
        }
    
        location = /robots.txt {
            allow all;
            log_not_found off;
            access_log off;
        }
    
        # Make a regex exception for `/.well-known` so that clients can still
        # access it despite the existence of the regex rule
        # `location ~ /(\.|autotest|...)` which would otherwise handle requests
        # for `/.well-known`.
        location ^~ /.well-known {
            # The rules in this block are an adaptation of the rules
            # in `.htaccess` that concern `/.well-known`.
    
            location = /.well-known/carddav { return 301 /remote.php/dav/; }
            location = /.well-known/caldav  { return 301 /remote.php/dav/; }
    
            location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
            location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
    
            # Let Nextcloud's API for `/.well-known` URIs handle all other
            # requests by passing them to the front-end controller.
            return 301 /index.php$request_uri;
        }
    
        # Rules borrowed from `.htaccess` to hide certain paths from clients
        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
    
        # Ensure this block, which passes PHP files to the PHP process, is above the blocks
        # which handle static assets (as seen below). If this block is not declared first,
        # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
        # to the URI, resulting in a HTTP 500 error response.
        location ~ \.php(?:$|/) {
            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
            set $path_info $fastcgi_path_info;
    
            try_files $fastcgi_script_name =404;
    
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $path_info;
            fastcgi_param HTTPS on;
    
            fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
            fastcgi_param front_controller_active true;     # Enable pretty urls
            fastcgi_pass php-handler;
    
            fastcgi_intercept_errors on;
            fastcgi_request_buffering off;
        }
    
        location ~ \.(?:css|js|svg|gif)$ {
            try_files $uri /index.php$request_uri;
            expires 6M;         # Cache-Control policy borrowed from `.htaccess`
            access_log off;     # Optional: Don't log access to assets
        }
    
        location ~ \.woff2?$ {
            try_files $uri /index.php$request_uri;
            expires 7d;         # Cache-Control policy borrowed from `.htaccess`
            access_log off;     # Optional: Don't log access to assets
        }
    
        # Rule borrowed from `.htaccess`
        location /remote {
            return 301 /remote.php$request_uri;
        }
    
        location / {
            try_files $uri $uri/ /index.php$request_uri;
        }
    }

附件

未经允许不得转载:Mr.Zhang » 安全上网

评论 抢沙发

评论前必须登录!