小鑫的GNU/Linux学习网站 https://linux.xiazhengxin.name/rss.php/index.php Copyright 2026, 小鑫 小鑫 zh-CN SPHPBLOG 0.7.0 腾讯云开启ipv6,重启后地址失效 https://linux.xiazhengxin.name/rss.php/index.php?entry=entry260102-070229 

[root@VM-4-3-rockylinux ~]# nl ipv6.sh
     1  if [ ! -f "/etc/tencentcloud_ipv6_base.sh" ]; then
     2  cat <<'EOF' > '/etc/tencentcloud_ipv6_base.sh'
     3  #!/bin/bash

     4  ## support ipv6 eip config from TAT
     5  ## Version:1.0

     6  DEFAULTMODE=$1
     7  DEFAULTADDR=$2
     8  DEFAULTULA=$3
     9  DEFAULTISP=$4
    10  DEFAULTDEV="eth0"

    11  DEVCOUNT=0
    12  ADDRCOUNT=0
    13  MODE=""
    14  ADDR=""
    15  ULA=""
    16  ISP="" # XXX not used yet
    17  DEV=""

    18  determine_device_name() {
    19      # init default value
    20      local ula_addr=${1:-}
    21      local devices=""
    22      local mac_addr=""

    23      # get dev from ula
    24      devices=($(ip -o link show 2>/dev/null | awk -F': ' '{print $2}' || echo ""))
    25      if [[ -n "$devices" ]]; then
    26          for dev in "${devices[@]}"; do
    27              if ip -6 addr show dev "$dev" 2>/dev/null | grep -q "inet6 $ula_addr" 2>/dev/null; then
    28                  echo "$dev"
    29                  return
    30              fi
    31          done
    32      fi

    33      # get dev from metadata
    34      mac_addr=$(curl -s -m 5 http://metadata.tencentyun.com/meta-data/mac 2>/dev/null || echo "")
    35      if [[ -n "$mac_addr" && -n "$devices" ]]; then
    36          for dev in "${devices[@]}"; do
    37              if ip link show "$dev" 2>/dev/null | grep -q "$mac_addr" 2>/dev/null; then
    38                  echo "$dev"
    39                  return
    40              fi
    41          done
    42      fi

    43      # fallback to default
    44      echo "$DEFAULTDEV"
    45  }

    46  sync_config_from_meta() {
    47      MODE=$DEFAULTMODE
    48      ADDR=$DEFAULTADDR
    49      ULA=$DEFAULTULA
    50      ISP=$DEFAULTISP
    51      DEV=$(determine_device_name "$ULA")
    52      # TODO
    53      DEVCOUNT=1
    54      ADDRCOUNT=1
    55  }

    56  setup_dhcpclient_dhclient()
    57  {
    58      local dev=$1

    59      if [[ $MODE == "PASSTHROUGH" ]]; then
    60          # stop client
    61          pid=`cat /var/run/dhclient6.pid`
    62          if [[ -n $pid ]]; then
    63              /usr/bin/kill -9 `cat /var/run/dhclient6.pid`
    64          fi
    65      else
    66          # start client
    67          if [[ ! -f /var/run/dhclient6.pid ]]; then
    68              /sbin/dhclient -6 -nw $dev
    69          fi
    70      fi
    71  }

    72  setup_dhcpclient_systemd()
    73  {
    74      local dev=$1
    75      local profile="/run/systemd/network/10-netplan-$dev.network"
    76      local disabled=`/usr/bin/grep "IPv6AcceptRA=false" $profile; echo $?`

    77      sed -i "/\[Network\]/aGateway=fe80::feee:ffff:feff:ffff" $profile
    78      if [[ $MODE == "PASSTHROUGH" ]]; then
    79          if [[ $disabled == "1" ]]; then
    80              # stop client
    81              sed -i "/\[Network\]/aIPv6AcceptRA=false" $profile
    82              sed -i "/\[Network\]/aAddress=${ADDR}" $profile
    83              networkctl reload
    84              sleep 1
    85          fi
    86          # XXX persistent config causes cloud-init not bringing up $dev
    87          # /usr/bin/sed -i "/eth0:/a\      accept_ra: false" /etc/netplan/00-installer-config.yaml
    88      else
    89          if [[ $disabled == "0" ]]; then
    90              # start client
    91              sed -i "/IPv6AcceptRA=false/d" $profile
    92              sed -i '/^Address=\([0-9a-fA-F]\{1,4\}:\)\{7\}[0-9a-fA-F]\{1,4\}/d' $profile
    93              networkctl reload
    94              sleep 1
    95          fi
    96          # persistent config
    97          # /usr/bin/sed -i "/accept-ra: false/d" /etc/netplan/00-installer-config.yaml
    98      fi
    99  }

   100  setup_dhcpclient_nm()
   101  {
   102      local dev=$1
   103      local connection="System $1"
   104      local method=`/usr/bin/nmcli c s "$connection" | grep ipv6.method | awk '{print $2}'`

   105      if [[ $MODE == "PASSTHROUGH" ]]; then
   106          if [[ $method == "auto" ]]; then
   107              # stop client
   108              /usr/bin/nmcli c m "$connection" ipv6.method ignore
   109          fi
   110      else
   111          if [[ $method == "ignore" ]]; then
   112              # start client
   113              /usr/bin/nmcli c m "$connection" ipv6.method auto
   114              /usr/bin/nmcli c up "$connection"
   115          fi
   116      fi
   117  }

   118  setup_dhclient()
   119  {
   120      if [[ -f /etc/opencloudos-release ]]; then
   121          setup_dhcpclient_nm $1
   122          return
   123      fi
   124      /usr/bin/ps -elF | /usr/bin/grep -w NetworkManager | /usr/bin/grep -v grep >/dev/null
   125      if (( $? == 0 )); then
   126          setup_dhcpclient_nm $1
   127          return
   128      fi
   129      /usr/bin/ps -elF | /usr/bin/grep -w systemd-networkd | /usr/bin/grep -v grep >/dev/null
   130      if (( $? == 0 )); then
   131          setup_dhcpclient_systemd $1
   132          return
   133      fi
   134      setup_dhcpclient_dhclient $1
   135  }

   136  setup_route()
   137  {
   138      if (( $DEVCOUNT == 1 && $ADDRCOUNT == 1 )); then
   139          /sbin/ip -6 route replace default dev $DEV via fe80::feee:ffff:feff:ffff
   140      fi
   141      # TODO policy route
   142  }

   143  # remove wrong addresses and config needed address
   144  # PASSTHROUGH mode: remove ULA and other GUA, config right GUA
   145  # NAT mode: do nothing
   146  # DUAL mode: remove other GUA, config right GUA
   147  setup_addr()
   148  {
   149      local dev=$1
   150      local addr=$2
   151      local ula=$3
   152      local old=

   153      if [[ $MODE == "PASSTHROUGH" ]]; then
   154          old=`/sbin/ip -6 addr show dev $dev | grep inet6 | grep -v 'inet6 fe80' | grep -v "inet6 $addr" | awk '{print $2}'`
   155      elif [[ $MODE == "DUAL" ]]; then
   156          old=`/sbin/ip -6 addr show dev $dev | grep inet6 | grep -v 'inet6 fe80' | grep -v "inet6 $ula" | grep -v "inet6 $addr" | awk '{print $2}'`
   157      else
   158          return 0
   159      fi
   160      for o in $old; do
   161          echo "removing $o"
   162          /sbin/ip -6 addr del dev $dev $o
   163      done
   164      /sbin/ip -6 addr add dev $dev $addr
   165  }

   166  sync_config_from_meta
   167  setup_dhclient $DEV
   168  setup_addr $DEV $ADDR $ULA
   169  setup_route
   170  EOF
   171  fi

   172  mode={{mode}}
   173  gua={{gua}}
   174  ula={{ula}}
   175  DEV="eth0" # default device

   176  rclocal=1

   177  config_rclocal()
   178  {
   179      local conf="/etc/rc.local"
   180      if (( $rclocal != 1 )); then
   181          return
   182      fi

   183      if [[ -h $conf ]]; then
   184          conf="/etc/rc.d/rc.local"
   185      fi
   186      grep -w tencentcloud_ipv6_base $conf | grep "$gua $ula"
   187      if (( $? == 1 )); then
   188          echo "bash /etc/tencentcloud_ipv6_base.sh $mode $gua $ula CAP" >> $conf
   189      fi
   190      chmod +x $conf
   191  }

   192  config_sysconfig()
   193  {
   194      local conf="/etc/sysconfig/network-scripts/init.ipv6-global"
   195      local key="Add some routes which should never appear on the wire"
   196      if [[ -f $conf ]]; then
   197          # duplicate check
   198          grep -w tencentcloud_ipv6_base $conf | grep "$gua $ula"
   199          if (( $? == 1 )); then
   200              lb=`grep -n "$key" $conf | awk -F: '{print $1}' | head -1`
   201              if [[ -n $lb ]]; then
   202                  sed -i "${lb} i          bash /etc/tencentcloud_ipv6_base.sh ${mode} ${gua} ${ula} CAP" $conf
   203              else
   204                  # cannot config
   205                  return
   206              fi
   207          fi
   208          rclocal=0
   209      fi
   210  }

   211  config_systemd_networking()
   212  {
   213      local conf="/lib/systemd/system/networking.service"
   214      local key="ExecStart"
   215      if [[ -f $conf ]]; then
   216          # duplicate check
   217          grep -w tencentcloud_ipv6_base $conf | grep "$gua $ula"
   218          if (( $? == 1 )); then
   219              lb=`grep -n $key $conf | awk -F: '{print $1}' | tail -1`
   220              if [[ -n $lb ]]; then
   221                  sed -i "${lb} a ExecStartPost=/bin/sh -c 'bash /etc/tencentcloud_ipv6_base.sh ${mode} ${gua} ${ula} CAP'" $conf
   222                  systemctl daemon-reload
   223              else
   224                  # cannot config
   225                  return
   226              fi
   227          fi
   228          rclocal=0
   229      fi
   230  }

   231  config_systemd_NetworkManager()
   232  {
   233      local conf="/lib/systemd/system/NetworkManager.service"
   234      local key="ExecStart"
   235      if [[ -f $conf ]]; then
   236          # duplicate check
   237          grep -w tencentcloud_ipv6_base $conf | grep "$gua $ula"
   238          if (( $? == 1 )); then
   239              lb=`grep -n $key $conf | awk -F: '{print $1}' | tail -1`
   240              if [[ -n $lb ]]; then
   241                  sed -i "${lb} a ExecStartPost=/bin/sh -c 'bash /etc/tencentcloud_ipv6_base.sh ${mode} ${gua} ${ula} CAP'" $conf
   242                  systemctl daemon-reload
   243              else
   244                  # cannot config
   245                  return
   246              fi
   247          fi
   248          rclocal=0
   249      fi
   250  }

   251  config_sysconfig
   252  config_systemd_networking
   253  config_systemd_NetworkManager
   254  config_rclocal

   255  # generic config
   256  bash /etc/tencentcloud_ipv6_base.sh PASSTHROUGH 机器外网IPV6地址 机器内网IPV6地址 CAP

机器外网IPV6地址 和 机器内网IPV6地址都可以在管理后台找到,填进去,执行下脚本IPV6就又行了.

Jan  2 14:20:37 localhost cloud-init[906]: Cloud-init v. 20.1 running 'init' at Fri, 02 Jan 2026 06:20:37 +0000. Up 6.03 seconds.
Jan  2 14:20:37 localhost cloud-init[906]: ci-info: ++++++++++++++++++++++++++++++++++++++Net device info++++++++++++++++++++++++++++++++++++++
Jan  2 14:20:37 localhost cloud-init[906]: ci-info: +--------+------+----------------------------+---------------+--------+-------------------+
Jan  2 14:20:37 localhost cloud-init[906]: ci-info: | Device |  Up  |          Address           |      Mask     | Scope  |     Hw-Address    |
Jan  2 14:20:37 localhost cloud-init[906]: ci-info: +--------+------+----------------------------+---------------+--------+-------------------+
Jan  2 14:20:37 localhost cloud-init[906]: ci-info: |  eth0  | True |          10.0.4.3          | 255.255.252.0 | global | 52:54:00:1a:13:c8 |
Jan  2 14:20:37 localhost cloud-init[906]: ci-info: |  eth0  | True | fe80::5054:ff:fe1a:13c8/64 |       .       |  link  | 52:54:00:1a:13:c8 |
Jan  2 14:20:37 localhost cloud-init[906]: ci-info: |   lo   | True |         127.0.0.1          |   255.0.0.0   |  host  |         .         |
Jan  2 14:20:37 localhost cloud-init[906]: ci-info: |   lo   | True |          ::1/128           |       .       |  host  |         .         |
Jan  2 14:20:37 localhost cloud-init[906]: ci-info: +--------+------+----------------------------+---------------+--------+-------------------+
Jan  2 14:20:37 localhost cloud-init[906]: ci-info: +++++++++++++++++++++++++++Route IPv4 info++++++++++++++++++++++++++++
Jan  2 14:20:37 localhost cloud-init[906]: ci-info: +-------+-------------+----------+---------------+-----------+-------+
Jan  2 14:20:37 localhost cloud-init[906]: ci-info: | Route | Destination | Gateway  |    Genmask    | Interface | Flags |
Jan  2 14:20:37 localhost cloud-init[906]: ci-info: +-------+-------------+----------+---------------+-----------+-------+
Jan  2 14:20:37 localhost cloud-init[906]: ci-info: |   0   |   0.0.0.0   | 10.0.4.1 |    0.0.0.0    |    eth0   |   UG  |
Jan  2 14:20:37 localhost cloud-init[906]: ci-info: |   1   |   10.0.4.0  | 0.0.0.0  | 255.255.252.0 |    eth0   |   U   |
Jan  2 14:20:37 localhost cloud-init[906]: ci-info: +-------+-------------+----------+---------------+-----------+-------+
Jan  2 14:20:37 localhost cloud-init[906]: ci-info: ++++++++++++++++++++++++++++Route IPv6 info++++++++++++++++++++++++++++
Jan  2 14:20:37 localhost cloud-init[906]: ci-info: +-------+-------------+---------------------------+-----------+-------+
Jan  2 14:20:37 localhost cloud-init[906]: ci-info: | Route | Destination |          Gateway          | Interface | Flags |
Jan  2 14:20:37 localhost cloud-init[906]: ci-info: +-------+-------------+---------------------------+-----------+-------+
Jan  2 14:20:37 localhost cloud-init[906]: ci-info: |   1   |  fe80::/64  |             ::            |    eth0   |   U   |
Jan  2 14:20:37 localhost cloud-init[906]: ci-info: |   2   |     ::/0    | fe80::feee:ffff:feff:ffff |    eth0   |   UG  |
Jan  2 14:20:37 localhost cloud-init[906]: ci-info: |   4   |  multicast  |             ::            |    eth0   |   U   |
Jan  2 14:20:37 localhost cloud-init[906]: ci-info: +-------+-------------+---------------------------+-----------+-------+



[root@VM-4-3-rockylinux ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 52:54:00:1a:13:c8 brd ff:ff:ff:ff:ff:ff
    altname enp0s5
    altname ens5
    inet 10.0.4.3/22 brd 10.0.7.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 240d:xxxx:xxxx:xxxx:xxxx:xxxx:ce54:0/128 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe1a:13c8/64 scope link noprefixroute
       valid_lft forever preferred_lft forever

]]> https://linux.xiazhengxin.name/rss.php/index.php?entry=entry260102-070229 小鑫 Fri, 02 Jan 2026 07:02:29 GMT Rocky Linux 9.7 docker 安装 php5.6 mariadb10.1 等老旧中间件服务 https://linux.xiazhengxin.name/rss.php/index.php?entry=entry260102-065103 docker pull 拉取所需指定版本的镜像

[root@VM-4-3-rockylinux ~]# docker images                                                                                                                                                                                                                         
IMAGE               ID             DISK USAGE   CONTENT SIZE   EXTRA
caddy:2.11-alpine   c006ba74d79d       76.8MB         20.8MB    U
gogs/gogs:0.12.9    0979e2a099f2        131MB         43.7MB    U
mariadb:10.1.48     1205b21b7138        486MB          113MB    U
php:5.6.40-fpm      4f070f1b7b93        495MB          126MB    U


数据库 docker-compose.yml:

[root@VM-4-3-rockylinux mariadb]# nl db.yaml
     1  # Use root/example as user/password credentials

     2  services:

     3    db:
     4      image: mariadb:10.1.48
     5      restart: always
     6      environment:
     7        MARIADB_ROOT_PASSWORD: xxxxx
     8        MYSQL_ROOT_PASSWORD: xxxxx
     9      volumes:
    10        - /root/mariadb/data/:/var/lib/mysql:z
    11        - /root/mariadb/run/:/var/run/mysqld:z
    12      ports:
    13        - "172.17.0.1:3306:3306" #使用docker ip


php docker-compose.yml:

[root@VM-4-3-rockylinux php]# nl php.yaml
     1  # Use root/example as user/password credentials

     2  services:

     3    php:
     4      image: php:5.6.40-fpm
     5      restart: always

     9      command: php-fpm #启动php-fpm 进程
    10      volumes:
    11        - /root/php/cfg/www.conf:/usr/local/etc/php-fpm.d/www.conf
    12        - /root/caddy/wwwroot:/home:Z #挂载caddy webroot,同一路径
    13      ports:
    14        - "127.0.0.1:9000:9000"


镜像内php默认mod 缺少 pdo_mysql 和 gd,使用官方提供的 docker-php-ext-configure 和 docker-php-ext-install 命令安装,
docker 内安装 pdo_mysql:
docker-php-ext-configure pdo_mysql && docker-php-ext-install pdo_mysql
docker 内安装 gd:
需要安装 libjpeg62-turbo-dev 和 libpng-dev 依赖
docker-php-ext-configure gd && docker-php-ext-install gd

安装完毕后:

[root@VM-4-3-rockylinux ~]# docker exec ddd138aef61b php-fpm -v
PHP 5.6.40 (fpm-fcgi) (built: Jan 23 2019 00:16:23)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
[root@VM-4-3-rockylinux ~]# docker exec ddd138aef61b php-fpm -m
[PHP Modules]
cgi-fcgi
Core
ctype
curl
date
dom
ereg
fileinfo
filter
ftp
gd
hash
iconv
json
libxml
mbstring
mhash
mysqlnd
openssl
pcre
PDO
pdo_mysql
pdo_sqlite
Phar
posix
readline
Reflection
session
SimpleXML
SPL
sqlite3
standard
tokenizer
xml
xmlreader
xmlwriter
zlib

[Zend Modules]



具体支持的php mod 可以看:
https://github.com/mlocati/docker-php-extension-installer?tab=readme-ov-file#supported-php-extensions

caddy docker-compose.yml:

[root@VM-4-3-rockylinux caddy]# nl caddy.yaml
     1  # Use root/example as user/password credentials

     2  services:

     3    caddy:
     4      image: caddy:2.11-alpine
     5      user: root
     6      restart: always

    10      volumes:
    11        - /root/caddy/conf:/etc/caddy
    12        - /root/caddy/wwwroot:/home:Z #挂载caddy webroot,同一路径
    13        - /root/caddy/caddy_data:/data
    14        - /root/caddy/caddy_config:/config
    15      network_mode: host


gogs docker-compose.yml:

[root@VM-4-3-rockylinux gogs]# nl gogs.yaml
     1  # Use root/example as user/password credentials

     2  services:

     3    gogs:
     4      image: gogs/gogs:0.12.9
     5      restart: always

     9      volumes:
    10        - /root/gogs/data:/data:Z
    11      ports:
    12        - "127.0.0.1:3000:3000"
    13        - "127.0.0.1:22:22"


服务运行OK:

[root@VM-4-3-rockylinux ~]# docker compose ls
NAME                STATUS              CONFIG FILES
caddy               running(1)          /root/caddy/caddy.yaml
gogs                running(1)          /root/gogs/gogs.yaml
mariadb             running(1)          /root/mariadb/db.yaml
php                 running(1)          /root/php/php.yaml
]]> https://linux.xiazhengxin.name/rss.php/index.php?entry=entry260102-065103 小鑫 Fri, 02 Jan 2026 06:51:03 GMT 腾讯云轻量服务器DD OpenBSD 7.5 https://linux.xiazhengxin.name/rss.php/index.php?entry=entry240520-142033 1.下载openbsd cd75.iso 镜像,dd 到虚拟本地磁盘/dev/vda

[root@VM-4-3-centos ~]# lsblk
NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
sr0     11:0    1 223.6M  0 rom
vda    253:0    0    30G  0 disk
└─vda1 253:1    0    30G  0 part /
[root@VM-4-3-centos ~]# wget https://cdn.openbsd.org/pub/OpenBSD/7.5/amd64/cd75.iso
--2024-05-20 20:59:11--  https://cdn.openbsd.org/pub/OpenBSD/7.5/amd64/cd75.iso
Resolving cdn.openbsd.org (cdn.openbsd.org)... 151.101.43.52, 2a04:4e42:a::820
Connecting to cdn.openbsd.org (cdn.openbsd.org)|151.101.43.52|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11429888 (11M) [application/octet-stream]
Saving to: ‘cd75.iso’

100%[===================================================================================================================================================================================================>] 11,429,888  21.0MB/s   in 0.5s

2024-05-20 20:59:12 (21.0 MB/s) - ‘cd75.iso’ saved [11429888/11429888]
[root@VM-4-3-centos ~]# ll
total 11164
-rw-r--r-- 1 root root 11429888 Mar 21 05:54 cd75.iso
[root@VM-4-3-centos ~]# dd if=cd75.iso of=/dev/vda bs=512k
21+1 records in
21+1 records out
11429888 bytes (11 MB) copied, 0.00920571 s, 1.2 GB/s
[root@VM-4-3-centos ~]# reboot

重启进VNC 提示“not boot device” 失败
再次重装系统为Centos 7,使用初始密码ssh 登入系统

2.下载openbsd miniroot75.img 镜像,dd 到虚拟本地磁盘/dev/vda

[root@VM-4-3-centos ~]# lsblk
NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
sr0     11:0    1 223.6M  0 rom
vda    253:0    0    30G  0 disk
└─vda1 253:1    0    30G  0 part /
[root@VM-4-3-centos ~]# ll
total 0
[root@VM-4-3-centos ~]# wget https://cdn.openbsd.org/pub/OpenBSD/7.5/amd64/miniroot75.img
--2024-05-20 21:03:39--  https://cdn.openbsd.org/pub/OpenBSD/7.5/amd64/miniroot75.img
Resolving cdn.openbsd.org (cdn.openbsd.org)... 151.101.43.52, 2a04:4e42:a::820
Connecting to cdn.openbsd.org (cdn.openbsd.org)|151.101.43.52|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5832704 (5.6M) [application/octet-stream]
Saving to: ‘miniroot75.img’

100%[===================================================================================================================================================================================================>] 5,832,704   13.8MB/s   in 0.4s

2024-05-20 21:03:39 (13.8 MB/s) - ‘miniroot75.img’ saved [5832704/5832704]

[root@VM-4-3-centos ~]# ls -lh
total 5.6M
-rw-r--r-- 1 root root 5.6M Mar 21 05:54 miniroot75.img
[root@VM-4-3-centos ~]# dd if=miniroot75.img of=/dev/vda bs=512k
11+1 records in
11+1 records out
5832704 bytes (5.8 MB) copied, 0.00625355 s, 933 MB/s
[root@VM-4-3-centos ~]# reboot

重启进VNC grub 花屏了 又失败
重装系统为Centos 7,使用初始密码ssh 登入系统

3.下载openbsd install75.img 镜像,dd 到虚拟本地磁盘/dev/vda

[root@VM-4-3-centos ~]# lsblk
NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
sr0     11:0    1 223.6M  0 rom
vda    253:0    0    30G  0 disk
└─vda1 253:1    0    30G  0 part /
[root@VM-4-3-centos ~]# wget https://cdn.openbsd.org/pub/OpenBSD/7.5/amd64/install75.img
--2024-05-20 21:14:45--  https://cdn.openbsd.org/pub/OpenBSD/7.5/amd64/install75.img
Resolving cdn.openbsd.org (cdn.openbsd.org)... 151.101.43.52, 2a04:4e42:a::820
Connecting to cdn.openbsd.org (cdn.openbsd.org)|151.101.43.52|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 696745984 (664M) [application/octet-stream]
Saving to: ‘install75.img’

100%[===================================================================================================================================================================================================>] 696,745,984 57.0MB/s   in 12s

2024-05-20 21:14:58 (54.0 MB/s) - ‘install75.img’ saved [696745984/696745984]

[root@VM-4-3-centos ~]# ls -lh
total 665M
-rw-r--r-- 1 root root 665M Mar 21 06:14 install75.img
[root@VM-4-3-centos ~]# fdisk -l

Disk /dev/vda: 32.2 GB, 32212254720 bytes, 62914560 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x0009ac89

   Device Boot      Start         End      Blocks   Id  System
/dev/vda1   *        2048    62914526    31456239+  83  Linux
[root@VM-4-3-centos ~]# dd if=install75.img of=/dev/vda bs=512k
1328+1 records in
1328+1 records out
696745984 bytes (697 MB) copied, 2.51045 s, 278 MB/s
Segmentation fault
[root@VM-4-3-centos ~]# dd if=install75.img of=/dev/vda bs=512k
Segmentation fault
[root@VM-4-3-centos ~]# dd if=install75.img of=/dev/vda bs=512k
Segmentation fault
[root@VM-4-3-centos ~]# dd if=install75.img of=/dev/vda bs=512k
Segmentation fault
[root@VM-4-3-centos ~]# dd if=install75.img of=/dev/vda bs=512k
Segmentation fault
[root@VM-4-3-centos ~]# dd if=install75.img of=/dev/vda bs=512k
Segmentation fault
[root@VM-4-3-centos ~]# dd if=install75.img of=/dev/vda bs=512k
Segmentation fault
[root@VM-4-3-centos ~]# dd if=install75.img of=/dev/vda bs=512k
Segmentation fault
[root@VM-4-3-centos ~]# dd if=install75.img of=/dev/vda bs=512k
Segmentation fault
[root@VM-4-3-centos ~]# dd if=install75.img of=/dev/vda bs=512k
Segmentation fault
[root@VM-4-3-centos ~]# dd if=install75.img of=/dev/vda bs=512k
Segmentation fault
[root@VM-4-3-centos ~]# dd if=install75.img of=/dev/vda bs=512k
Segmentation fault
[root@VM-4-3-centos ~]# dd if=install75.img of=/dev/vda bs=512k
Segmentation fault
[root@VM-4-3-centos ~]# dd if=install75.img of=/dev/vda bs=512k
Segmentation fault
[root@VM-4-3-centos ~]# dd if=install75.img of=/dev/vda bs=512k
Segmentation fault
[root@VM-4-3-centos ~]# dd if=install75.img of=/dev/vda bs=512k
Segmentation fault
[root@VM-4-3-centos ~]# dd if=install75.img of=/dev/vda bs=512k
Segmentation fault
[root@VM-4-3-centos ~]# dd if=install75.img of=/dev/vda bs=512k
Segmentation fault
[root@VM-4-3-centos ~]# dd if=install75.img of=/dev/vda bs=512k
Segmentation fault
[root@VM-4-3-centos ~]# dd if=install75.img of=/dev/vda bs=512k
Segmentation fault
[root@VM-4-3-centos ~]# dd if=install75.img of=/dev/vda bs=512k
Segmentation fault
[root@VM-4-3-centos ~]# reboot
Segmentation fault

直接dd sf了,又疯狂dd了好几次,重启命令也挂了,好家伙~直接腾讯云后台硬重启
重启时间有点长,重启完毕完了后进VNC看看,openbsd 文字安装向导出来了 NB!玄学

注:操作时候参考了以下文章:
https://marcocetica.com/posts/openbsd_digitalocean/
https://book.bsdcn.org/di-2-zhang-an-zhuang-freebsd/di-2.5-jie-teng-xun-yun-qing-liang-yun-ji-qi-ta-fu-wu-qi-dd-an-zhuang-freebsd
https://www.openbsd.org/faq/faq4.html#Download
https://cloudflare.cdn.openbsd.org/pub/OpenBSD/7.5/amd64/]]> https://linux.xiazhengxin.name/rss.php/index.php?entry=entry240520-142033 小鑫 Mon, 20 May 2024 14:20:33 GMT 安装完 OpenWrt 23.05.0 后,扩展ROOT分区 https://linux.xiazhengxin.name/rss.php/index.php?entry=entry231017-043715
之前一直使用的方法是 fdisk 删除,重建分区大法,不过这方法会导致分区UUID变更,需要更新GRUB.CFG文件才行。

今天刚安装了OP最新稳定版 OpenWrt 23.05.0,就按照官方最新的DOC试试新方法。

ssh 登录系统,可见磁盘mmcblk0p2 需要扩容。

BusyBox v1.36.1 (2023-10-09 21:45:35 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 23.05.0, r23497-6637af95aa
 -----------------------------------------------------
root@OpenWrt:~# uname -a
Linux OpenWrt 5.15.134 #0 SMP Mon Oct 9 21:45:35 2023 aarch64 GNU/Linux
root@OpenWrt:~# df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root               102.3M     16.8M     83.5M  17% /
tmpfs                   245.2M     92.0K    245.1M   0% /tmp
tmpfs                   512.0K         0    512.0K   0% /dev
root@OpenWrt:~# lsblk
NAME        MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
mmcblk0     179:0    0 14.4G  0 disk
├─mmcblk0p1 179:1    0   20M  0 part
└─mmcblk0p2 179:2    0  104M  0 part /


更新OPKG源,安装需要用到工具 parted losetup resize2fs.

root@OpenWrt:~# opkg update
Downloading https://downloads.openwrt.org/releases/23.05.0/targets/sunxi/cortexa53/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_core
Downloading https://downloads.openwrt.org/releases/23.05.0/targets/sunxi/cortexa53/packages/Packages.sig
Signature check passed.
Downloading https://downloads.openwrt.org/releases/23.05.0/packages/aarch64_cortex-a53/base/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_base
Downloading https://downloads.openwrt.org/releases/23.05.0/packages/aarch64_cortex-a53/base/Packages.sig
Signature check passed.
Downloading https://downloads.openwrt.org/releases/23.05.0/packages/aarch64_cortex-a53/luci/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_luci
Downloading https://downloads.openwrt.org/releases/23.05.0/packages/aarch64_cortex-a53/luci/Packages.sig
Signature check passed.
Downloading https://downloads.openwrt.org/releases/23.05.0/packages/aarch64_cortex-a53/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_packages
Downloading https://downloads.openwrt.org/releases/23.05.0/packages/aarch64_cortex-a53/packages/Packages.sig
Signature check passed.
Downloading https://downloads.openwrt.org/releases/23.05.0/packages/aarch64_cortex-a53/routing/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_routing
Downloading https://downloads.openwrt.org/releases/23.05.0/packages/aarch64_cortex-a53/routing/Packages.sig
Signature check passed.
Downloading https://downloads.openwrt.org/releases/23.05.0/packages/aarch64_cortex-a53/telephony/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_telephony
Downloading https://downloads.openwrt.org/releases/23.05.0/packages/aarch64_cortex-a53/telephony/Packages.sig
Signature check passed.
root@OpenWrt:~# opkg install parted losetup resize2fs
Installing parted (3.6-1) to root...
Downloading https://downloads.openwrt.org/releases/23.05.0/packages/aarch64_cortex-a53/packages/parted_3.6-1_aarch64_cortex-a53.ipk
Installing libparted (3.6-1) to root...
Downloading https://downloads.openwrt.org/releases/23.05.0/packages/aarch64_cortex-a53/packages/libparted_3.6-1_aarch64_cortex-a53.ipk
Installing libreadline8 (8.2-1) to root...
Downloading https://downloads.openwrt.org/releases/23.05.0/packages/aarch64_cortex-a53/base/libreadline8_8.2-1_aarch64_cortex-a53.ipk
Installing losetup (2.39-2) to root...
Downloading https://downloads.openwrt.org/releases/23.05.0/packages/aarch64_cortex-a53/base/losetup_2.39-2_aarch64_cortex-a53.ipk
Installing resize2fs (1.47.0-2) to root...
Downloading https://downloads.openwrt.org/releases/23.05.0/packages/aarch64_cortex-a53/base/resize2fs_1.47.0-2_aarch64_cortex-a53.ipk
Configuring resize2fs.
Configuring losetup.
Configuring libparted.
Configuring libreadline8.
Configuring parted.


扩容磁盘mmcblk0 分区2,第一次重启。

root@OpenWrt:~# echo -e "ok\nfix" | parted -l ---pretend-input-tty
Model: SD SD16G (sd/mmc)
Disk /dev/mmcblk0: 15.5GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags:

Number  Start   End     Size    Type     File system  Flags
 1      1049kB  22.0MB  21.0MB  primary  fat16        boot, lba
 2      23.1MB  132MB   109MB   primary  ext2


root@OpenWrt:~# parted -s /dev/mmcblk0 resizepart 2 100%
root@OpenWrt:~# reboot


扩容分区 mmcblk0p2 对应的ext文件系统 /,第二次重启。

root@OpenWrt:~# lsblk
NAME        MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
mmcblk0     179:0    0 14.4G  0 disk
├─mmcblk0p1 179:1    0   20M  0 part
└─mmcblk0p2 179:2    0 14.4G  0 part / #这里可以看到分区2已经被扩容了
root@OpenWrt:~# df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root               102.3M     20.0M     80.3M  20% /
tmpfs                   245.2M     88.0K    245.1M   0% /tmp
tmpfs                   512.0K         0    512.0K   0% /dev
root@OpenWrt:~# losetup /dev/loop1 /dev/mmcblk0p2
root@OpenWrt:~# resize2fs -f /dev/loop1
resize2fs 1.47.0 (5-Feb-2023)
Resizing the filesystem on /dev/loop1 to 3779072 (4k) blocks.
The filesystem on /dev/loop1 is now 3779072 (4k) blocks long.

root@OpenWrt:~# reboot


2次重启完成后,进入系统,扩容已经完成。

root@OpenWrt:~# df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                14.2G     20.0M     14.2G   0% / #文件也已经被扩容
tmpfs                   245.2M     84.0K    245.1M   0% /tmp
tmpfs                   512.0K         0    512.0K   0% /dev
root@OpenWrt:~# lsblk
NAME        MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
mmcblk0     179:0    0 14.4G  0 disk
├─mmcblk0p1 179:1    0   20M  0 part
└─mmcblk0p2 179:2    0 14.4G  0 part /


相对于fdisk,这个还是比较方便的。

参考文档:
https://openwrt.org/docs/guide-user/installation/openwrt_x86#expanding_root_partition
https://openwrt.org/docs/guide-user/installation/openwrt_x86#expanding_root_filesystem
https://openwrt.org/docs/guide-user/installation/installation_methods/sd_card
https://openwrt.org/docs/guide-user/advanced/expand_root]]> https://linux.xiazhengxin.name/rss.php/index.php?entry=entry231017-043715 小鑫 Tue, 17 Oct 2023 04:37:15 GMT 搭建带WEB用户管理的openvpn https://linux.xiazhengxin.name/rss.php/index.php?entry=entry231002-040952
1.下载开源的一键部署脚本,使用这位大佬的项目 https://github.com/Nyr/openvpn-install


wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh

执行 下载,安装 就完事了。

如果是个人使用的话,到这里就结束了。缺点是添加、删除用户需要反复的执行该脚本,有点麻烦。

2.编辑 /lib/systemd/system/openvpn-server@.service 服务文件,在执行命令后面追加 --management 127.0.0.1 8989 开启管理端口。
如下:

[Unit]
Description=OpenVPN service for %I
After=network-online.target
Wants=network-online.target
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO

[Service]
Type=notify
PrivateTmp=true
WorkingDirectory=/etc/openvpn/server
ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf --management 127.0.0.1 8989
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
ProtectSystem=true
ProtectHome=true
KillMode=process
RestartSec=5s
Restart=on-failure

[Install]
WantedBy=multi-user.target


3.重载服务列表,重启openvpn服务,使配置生效。并查看端口情况。

root@ip:~# systemctl daemon-reload
root@ip:~# systemctl restart openvpn-server@server.service 
root@ip:~# netstat -nlp | grep openvpn
tcp        0      0 172.31.35.111:12345     0.0.0.0:*               LISTEN      19285/openvpn       
tcp        0      0 127.0.0.1:8989          0.0.0.0:*               LISTEN      19285/openvpn


4.确认管理端口开启后,下载ovpn-admin 用户管理服务,解压便可得到可执行的二进制文件。

root@ip:~# wget https://github.com/sharljimhtsin/ovpn-admin/releases/download/v3/ovpn-admin-linux-amd64.tar.gz


5.复制easyrsa 可执行文件 到 $PATH 目录下,ovpn-admin 需要用到。

root@ip:~# cp /etc/openvpn/server/easy-rsa/easyrsa /usr/local/bin/
root@ip:~# ls -lh /usr/local/bin/
total 172K
-rwxr-xr-x 1 root root 170K Jul 14 02:45 easyrsa


6.启动ovpn-admin.命令如下:

root@ip:~# EASYRSA_BATCH=1 ./ovpn-admin --listen.host="0.0.0.0" --listen.port="8080" --ovpn.network="TUN网卡IP/24" --ovpn.server=WANIP:12345:tcp --easyrsa.path=/etc/openvpn/server/easy-rsa/ --easyrsa.index-path=/etc/openvpn/server/easy-rsa/pki/index.txt --log.level=trace 
--web.basic-auth.user=admin --web.basic-auth.password=12345
DEBU[0000] mgmtStatusTimeFormat: 2006-01-02 15:04:05    
DEBU[0000] mgmtSetTimeFormat: successful connection to main/127.0.0.1:8989 
TRAC[0000] OpenVPN Version: OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
Management Version: 3
 ND
INFO[0000] Bind: http://0.0.0.0:8080


比较关键的参数就是 --web.basic-auth.user=admin --web.basic-auth.password=12345 这2个是用于webui 管理的登录认证。
由于该进程需要常驻,我是用的是 screen,也可以用 nohup 之类的。或者使用 https://mysystemd.talos.sh/ 生成一个 systemd 服务。

7.检查服务端口情况。

root@ip:~# netstat -nlp | grep vpn
tcp        0      0 172.31.35.111:12345     0.0.0.0:*               LISTEN      19285/openvpn       
tcp        0      0 127.0.0.1:8989          0.0.0.0:*               LISTEN      19285/openvpn       
tcp6       0      0 :::8080                 :::*                    LISTEN      19300/./ovpn-admin


8.确认一切OK后,就可以使用 http://wanip:8080 + 之前配置的用户名密码 访问openvpn 的用户管理后台了。]]> https://linux.xiazhengxin.name/rss.php/index.php?entry=entry231002-040952 小鑫 Mon, 02 Oct 2023 04:09:52 GMT caddy2 域名站点禁用 http to https 自动跳转 https://linux.xiazhengxin.name/rss.php/index.php?entry=entry210911-132916
但是有时候确实会有一些奇葩需求,

比如我就是要访问http 版本,我不需要自动跳转到 https.但是同时我需要https 也可以用。

只需要http 的场景,直接 tls off 就完事了。(caddy 1 是这么配置的,caddy 2 不清楚)

所以我需要的情况是 http 和 https 共存,两者都可以独立访问。

通过查阅资料,看到了 caddy 2 有个auto_https 的全局选项,可以选择off、disable_redirects、ignore_loaded_certs三个选项。
先不说这玩意有用没用,这是全局开关,我不可能为了一个站点,影响其他正常的站点。故不考虑。

继续查。。。

终于找到了解决方案,就是在 hostname 上做手脚。。。。

http://debug.xzx.im:80 https://debug.xzx.im {
        root * /var/www
        file_server
}

这就完事了。查看效果:

[root@VM-4-3-centos ~]# curl http://debug.xzx.im -I
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 6841
Content-Type: text/html; charset=utf-8
Etag: "qz7q685a1"
Last-Modified: Fri, 10 Sep 2021 09:54:08 GMT
Server: Caddy
Date: Sat, 11 Sep 2021 13:44:55 GMT

[root@VM-4-3-centos ~]# curl https://debug.xzx.im -I
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 6841
Content-Type: text/html; charset=utf-8
Etag: "qz7q685a1"
Last-Modified: Fri, 10 Sep 2021 09:54:08 GMT
Server: Caddy
Date: Sat, 11 Sep 2021 13:45:00 GMT


再看个同一个CADDY下没改的站点的:

[root@VM-4-3-centos ~]# curl http://us.xzx.im -I
HTTP/1.1 308 Permanent Redirect
Connection: close
Location: https://us.xzx.im/
Server: Caddy
Date: Sat, 11 Sep 2021 13:46:55 GMT

[root@VM-4-3-centos ~]# curl https://us.xzx.im -I
HTTP/1.1 200 OK
Content-Length: 5514
Content-Type: text/html; charset=utf-8
Date: Sat, 11 Sep 2021 13:46:58 GMT
Server: Caddy
Server: swoole-http-server
Set-Cookie: SWOFT_SESSION_ID=eo0e72sbt0kqiqvco1kkflfqc6; expires=Sun, 12-Sep-2021 01:46:58 GMT; path=/; httponly


效果十分明显,没有了不想要http to https redirect. good!!!!

查阅了以下文档:
https://caddyserver.com/docs/automatic-https
https://caddyserver.com/docs/caddyfile/options#auto-https
https://caddy.community/t/making-sense-of-auto-https-and-why-disabling-it-still-serves-https-instead-of-http/9761]]> https://linux.xiazhengxin.name/rss.php/index.php?entry=entry210911-132916 小鑫 Sat, 11 Sep 2021 13:29:16 GMT Quantumult X 下使用SS + v2ray-plugin 配置容易踩的坑 https://linux.xiazhengxin.name/rss.php/index.php?entry=entry210219-064438
之前就是照着官方的SAMPLE格式加了自己的VMESS节点,不过还行,添加一次就成功了。

这次添加ss + v2ray-plugin 死活测试延迟失败。。。结果仔仔细细的看了文档,才发现显式需要设置 mux=0 ,默认值是1.

文档里有说明:

# When using obfs=ws and obfs=wss the server side can be deployed by v2ray-plugin with mux = 0 or by v2ray-core.


修正后的go-shadowsocks2 服务端启动命令:

nohup go-shadowsocks2 -password ****** -plugin v2ray-plugin -plugin-opts "server;tls;host=kr.xzx.im;key=/path/to/kr.xzx.im.key;cert=/path/to/kr.xzx.im.crt;mux=0" -s ":####" -verbose &


对应的Quantumult X 本地配置文件的server_local 节点配置:

shadowsocks=kr.xzx.im:####,method=chacha20-ietf-poly1305,password=******,obfs=wss,obfs-uri=/,obfs-host=kr.xzx.im,tls13=false,fast-open=false,udp-relay=false,tag=ss-v2ray-plugin


折腾了好久,结果还是吃了没仔细看文档的亏,所以以后文档还得看啊~

参考了:https://github.com/crossutility/Quantumult-X/blob/master/sample.conf]]> https://linux.xiazhengxin.name/rss.php/index.php?entry=entry210219-064438 小鑫 Fri, 19 Feb 2021 06:44:38 GMT Caddy 1 迁移到 Caddy 2 配置文件改动 https://linux.xiazhengxin.name/rss.php/index.php?entry=entry200423-060301
升级BIN 很简单,直接下载官方提供的BIN 包解压即可。如果要自己编译得话,GOLANG 的版本需要Go 1.14 以上了。 v1的话 1.13 版本就行。

这里不赘述。主要讲讲配置文件格式的变化。改动还是蛮大的,v1的CaddyFile 直接无法启动。需要自己根据官方迁移文档挨个修改。。。。。

这里是我V1 和 V2 的区别.

v1 版本:

sgp.xzx.im
root /home/admin/http
proxy /caonima 127.0.0.1:9700 {
        websocket
        header_upstream -Origin
}
browse /
status 403 /forbidden
basicauth "username" password{
    realm "password plz"
    /pdf
    /rinima
}
rewrite {
#  if {file} starts_with .
  r ^/\..*
  to /forbidden
}
fastcgi / /run/php-fpm/www.sock php


v2 版本:

sgp.xzx.im {
        root * /home/admin/http
        reverse_proxy /caonima 127.0.0.1:9700
        respond /forbidden 403
        basicauth /pdf/* {
                username JDJhJDEwJEhrMGVjT2s1ZWNoSnM1VUFhUThnV090dUttU3ZYc1kyZGVTLmhoNGVVZUVtY0lwcXRuRG1T
        }
        basicauth /rinima/* {
                username JDJhJDEwJEhrMGVjT2s1ZWNoSnM1VUFhUThnV090dUttU3ZYc1kyZGVTLmhoNGVVZUVtY0lwcXRuRG1T
        }
        @dotFiles {
                path_regexp ^/\..*
        }
        rewrite @dotFiles /forbidden
        # Proxy PHP files to the FastCGI responder
        @phpFiles {
                path *.php
        }
        reverse_proxy @phpFiles unix//var/run/php-fpm-www.sock {
                transport fastcgi {
                        split .php
                }
        }
        #php_fastcgi unix//var/run/php-fpm-www.sock #这个应该是有用的,之前忘了加 unix:// 前缀,还以为没作用
        file_server /* browse
}


基本一目了然。要注意的是
1.HTTP 认证密码不在存放明文,跟NGINX、APACHE HTTPD 学了,通过密码工具生成密文。具体看

root@iZt4nbvac3vpa6uqd0l17kZ:~ # caddy help hash-password
Convenient way to hash a plaintext password. The resulting
hash is written to stdout as a base64 string.

--algorithm may be bcrypt or scrypt. If script, the default
parameters are used.

Use the --salt flag for algorithms which require a salt to
be provided (scrypt).

usage:
  caddy hash-password --plaintext <password> [--salt <string>] [--algorithm <name>]

flags:
  -algorithm string
        Name of the hash algorithm (default "bcrypt")
  -plaintext string
        The plaintext password
  -salt string
        The password salt

Full documentation is available at:
https://caddyserver.com/docs/command-line
root@iZt4nbvac3vpa6uqd0l17kZ:~ # caddy hash-password --plaintext "caonima"
JDJhJDEwJEV1VTFDbk94WnJFaEZJZndMb0tob081U01JOEtVTEpuMW1tbGZRNW16QXJFb3gubm8yM2RX #生成的密文


2.其次就是 php_fastcgi 其实 reverse_proxy 包装了一下,算是个“存储过程”吧。。。。
负责的事情比v1 版本的 fastcgi 多了很多,因为是专门为PHP 解释器转发设计的。
更方便你部署PHP站点了,特别是lumen 这类bootstrap 单一入口,控制器做转发的框架。
可以省去 try_files 等很多逻辑。一键集成PHP....

具体看:https://caddyserver.com/docs/caddyfile/directives/php_fastcgi#expanded-form


除了配置之外,启动方式也变了。
之前:

echo "start caddy"
nohup go/bin/caddy -agree -log log/web.log -conf cfg/Caddyfile >& log/caddy.log &


现在:

 \--- 17397 root caddy run --pingback 127.0.0.1:26860 --config cfg/Caddyfile
#  start           Starts the Caddy process in the background and then returns
默认后台运行,不需要再用 nohup 了


注:本文在实践&撰写时参考了以下文档:
https://caddyserver.com/docs/v2-upgrade
https://caddyserver.com/docs/caddyfile/directives
https://caddyserver.com/docs/caddyfile/matchers
https://caddyserver.com/docs/caddyfile-tutorial]]> https://linux.xiazhengxin.name/rss.php/index.php?entry=entry200423-060301 小鑫 Thu, 23 Apr 2020 06:03:01 GMT 利用 iptables 做端口转发,实现代理中转 https://linux.xiazhengxin.name/rss.php/index.php?entry=entry200103-032251
所以决定使用这台机器来做中转功能。这里就需要用到端口转发。

端口转发有很多解决方案,支持反代的软件有很多,比如nginx,apache,haproxy,socat 等.

这些都是应用层面的,而且得安装对应的软件包,配置,监听端口,运行才行。但是如果想到操作系统内核底层操作的话,就不得不说iptables 了。

首先修改kernel 内核参数,开启端口转发功能。

[root@hk_uc ~]# cat /etc/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.unknown_nmi_panic = 0
kernel.sysrq = 1
fs.file-max = 1000000
vm.swappiness = 10
fs.inotify.max_user_watches = 10000000
net.core.wmem_max = 327679
net.core.rmem_max = 327679
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
fs.inotify.max_queued_events = 327679
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.neigh.default.gc_thresh1 = 2048
net.ipv4.neigh.default.gc_thresh2 = 4096
net.ipv4.neigh.default.gc_thresh3 = 8192
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv4.ip_forward = 1 //开启端口转发 1=>开启 0=>关闭

编辑保存后,重载配置,使之生效。

[root@hk_uc ~]# sysctl -p
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.unknown_nmi_panic = 0
kernel.sysrq = 1
fs.file-max = 1000000
vm.swappiness = 10
fs.inotify.max_user_watches = 10000000
net.core.wmem_max = 327679
net.core.rmem_max = 327679
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
fs.inotify.max_queued_events = 327679
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.neigh.default.gc_thresh1 = 2048
net.ipv4.neigh.default.gc_thresh2 = 4096
net.ipv4.neigh.default.gc_thresh3 = 8192
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv4.ip_forward = 1


接下来就是操作iptables,加入相关的转发规则链。现在比较主流的方式通过 前置路由链、和后置路由链 的方式去实现转发。

我现在要把HK机器9800 端口上进来的TCP请求,统统转发到TW机器(210.203.57.103)的19600 端口上去。
加入前置路由规则:

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 9800 -j DNAT --to-destination 210.203.57.103:19600

加入后置路由规则:

iptables -t nat -A POSTROUTING -d 210.203.57.103 -p tcp -m tcp --dport 19600 -j SNAT --to-source 10.8.32.28

10.8.32.28 是我的网卡eth0 IP.

[root@hk_uc ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1454
        inet 10.8.32.28  netmask 255.255.0.0  broadcast 10.8.255.255
        ether 52:54:00:1a:5d:55  txqueuelen 1000  (Ethernet)
        RX packets 83091504  bytes 30721120125 (28.6 GiB)
        RX errors 0  dropped 891  overruns 0  frame 0
        TX packets 98367783  bytes 33007019179 (30.7 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 14612734  bytes 19897570061 (18.5 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 14612734  bytes 19897570061 (18.5 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

到这步,iptables 端口转发就已经配置好了。保存下iptables 配置。

[root@hk_uc ~]# iptables-save
# Generated by iptables-save v1.4.21 on Fri Jan  3 11:52:32 2020
*nat
:PREROUTING ACCEPT [7618:365173]
:INPUT ACCEPT [7618:365173]
:OUTPUT ACCEPT [1727:118684]
:POSTROUTING ACCEPT [1727:118684]
-A PREROUTING -p tcp -m tcp --dport 9800 -j DNAT --to-destination 210.203.57.103:19600
-A PREROUTING -p tcp -m tcp --dport 9900 -j DNAT --to-destination 140.238.11.39:9600
-A POSTROUTING -d 210.203.57.103/32 -p tcp -m tcp --dport 19600 -j SNAT --to-source 10.8.32.28
-A POSTROUTING -d 140.238.11.39/32 -p tcp -m tcp --dport 9600 -j SNAT --to-source 10.8.32.28
COMMIT
# Completed on Fri Jan  3 11:52:32 2020
# Generated by iptables-save v1.4.21 on Fri Jan  3 11:52:32 2020
*filter
:INPUT ACCEPT [433680:111523114]
:FORWARD ACCEPT [360898:155486678]
:OUTPUT ACCEPT [476261:116542832]
COMMIT
# Completed on Fri Jan  3 11:52:32 2020

至此,所有操作完成。可以看到HK 机器的9800端口已经可以ping 通了。我本地到TW机器的延迟约等于 本地到HK + HK 到 TW 的延迟总和。牺牲一点延迟,换来线路的稳定,也是值得的。

本文在实践撰写的过程参考一下文章:
http://xstarcd.github.io/wiki/Linux/ipt ... share.html
https://coolnull.com/3322.html
https://doubibackup.com/3we1qxzj-3.html]]> https://linux.xiazhengxin.name/rss.php/index.php?entry=entry200103-032251 小鑫 Fri, 03 Jan 2020 03:22:51 GMT 在NAT机器上搭建 shadowsocks + v2ray-plugin (websocket SSL) 组合 https://linux.xiazhengxin.name/rss.php/index.php?entry=entry191220-052047
想想就麻烦。但是shadowsocks 基于我之前使用情况,发现已经大概率被识别了。在这种情况下,我想试试之前听说过,但一直没用过的 v2ray-plugin 插件.

如果你的机器没有golang 环境,请先安装并配置好GOPATH、PATH.参见:https://go-repo.io/
最好也安装一下开发者套件,比如 yum groupinstall 'development tools'
确认防火墙已经关闭,或者指定端口已经放行.比如 systemctl stop firewalld

首先下载 go-shadowsocks2,

go get -u -v github.com/shadowsocks/go-shadowsocks2

一行命令搞定。

接下来是v2ray-plugin.(它的项目主页提供了bin 包下载。图省事的可以直接下载解压,复制到PATH目录即可。)

git clone https://github.com/shadowsocks/v2ray-plugin.git

签出代码,进入目录。编辑里面的 build-release.sh 文件,删除除了 linux,x64 之外的所有系统平台、架构。下面的几个ARM 平台的也删了。
运行 build-release.sh 编译文件,完成后你会在当前目录看到适合你平台架构的可执行文件。

复制到PATH 目录下,改名为 v2ray-plugin.

mv v2ray-plugin_linux_amd64 ~/go/bin/v2ray-plugin


按说到这里就差不多了,但是因为需要跑websocket + SSL.还需要一个 SSL证书。
用到了acme.sh 工具。

git clone https://github.com/Neilpang/acme.sh

签出代码,进入目录。
因为是NAT模式,所以一般的 --standalone 模式是行不通的。(我试过给 --httpport 参数,没效果)
故而使用 DNS 验证模式,执行脚本

./acme.sh --issue --dns -d  tw.xzx.im --yes-I-know-dns-manual-mode-enough-go-ahead-please

之后进入自己的DNS SERVER ISP 后台,添加一条TXT记录,内容就是脚本返回里面的。不难找~
确认域名记录生效后,再次执行脚本:

./acme.sh --renew --dns -d  tw.xzx.im --yes-I-know-dns-manual-mode-enough-go-ahead-please

不出意外,基本就成功了。SSL证书的公私钥啥的就都保存到本地的 ~/.acme.sh 目录下了。

证书搞定后就起服务了。

nohup go-shadowsocks2 -password ***** -plugin v2ray-plugin -plugin-opts "server;tls;host=tw.xzx.im" -s ":9600" &

htop 看一下,服务已经起来了,go-shadowsocks 成功的调起了 v2ray-plugin 进程。

  |-go-shadowsocks2,29874 -password ***** -plugin v2ray-plugin -plugin-opts server;tls;host=tw.xzx.im -s :9600
  |   |-v2ray-plugin,29879
  |   |   |-{v2ray-plugin},29881
  |   |   |-{v2ray-plugin},29882
  |   |   |-{v2ray-plugin},29883
  |   |   |-{v2ray-plugin},29884
  |   |   |-{v2ray-plugin},29885
  |   |   |-{v2ray-plugin},29886
  |   |   |-{v2ray-plugin},30461
  |   |   |-{v2ray-plugin},30462
  |   |   `-{v2ray-plugin},30476
  |   |-{go-shadowsocks2},29875
  |   |-{go-shadowsocks2},29876
  |   |-{go-shadowsocks2},29877
  |   |-{go-shadowsocks2},29878
  |   |-{go-shadowsocks2},29880
  |   |-{go-shadowsocks2},30458
  |   |-{go-shadowsocks2},30459
  |   |-{go-shadowsocks2},30464
  |   |-{go-shadowsocks2},30477
  |   |-{go-shadowsocks2},30699
  |   |-{go-shadowsocks2},30701
  |   `-{go-shadowsocks2},30710

端口监听正常.

[root@vm1219610 ~]# netstat -nlp | grep 9600
tcp        0      0 0.0.0.0:9600            0.0.0.0:*               LISTEN      29879/v2ray-plugin
udp        0      0 0.0.0.0:9600            0.0.0.0:*                           29874/go-shadowsock


服务端搞定了。接下来配置一下自己本地的代理工具,我用的是netch,GUI 上添加一个新SS服务器,配置一下就OK了。

    {
      "Remark": "TW",
      "Group": "None",
      "Type": "SS",
      "Rate": 1.0,
      "Hostname": "tw.xzx.im",
      "Port": 19600, #这里是NAT端口转发的外网开放端口
      "Username": null,
      "Password": "*******",
      "UserID": "",
      "AlterID": 0,
      "EncryptMethod": "chacha20-ietf-poly1305",
      "Plugin": "v2ray-plugin",
      "PluginOption": "tls;host=tw.xzx.im",
      "Protocol": null,
      "ProtocolParam": null,
      "OBFS": null,
      "OBFSParam": null,
      "TransferProtocol": "tcp",
      "FakeType": "",
      "Host": "",
      "Path": "",
      "QUICSecure": "none",
      "QUICSecret": "",
      "TLSSecure": false,
      "Delay": 49
    }


这是我netch 的json 配置,仅供参考。

注:本文在实践、撰写时参考了一下项目文档:
https://github.com/shadowsocks/go-shadowsocks2/blob/master/README.md
https://github.com/shadowsocks/v2ray-plugin/blob/master/README.md
https://github.com/Neilpang/acme.sh/blob/master/README.md]]> https://linux.xiazhengxin.name/rss.php/index.php?entry=entry191220-052047 小鑫 Fri, 20 Dec 2019 05:20:47 GMT