重装CentOS 7
使用以下命令查看网卡IP地址,以便使用第三方ssh工具登录Linux
ip addr
禁用SELinux
修改配置文件
vim /etc/selinux/config
修改以下节点为disable
SELINUX=enforcing
注意:需要重启系统才能生效,重启之前可以备份数据或者建立一个系统快照,如果有问题可以直接恢复
切换源为中国大陆源
#备份原来的源
cp /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak
#编辑源
vi /etc/yum.repos.d/CentOS-Base.repo
#在vi的编辑器中输入以下命令按【回车】删除所有内容
#如果编辑器左下角显示Insert或者replace字样,先按【Esc】再输入以下命令
:%d
切换为国内163源(在编辑器中按【Insert】键切换为输入模式),复制下面的内容粘贴
# CentOS-Base.repo
#
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client. You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
#
#
[base]
name=CentOS-$releasever - Base - 163.com
#mirrorlist=https://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
baseurl=https://mirrors.163.com/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=https://mirrors.163.com/centos/RPM-GPG-KEY-CentOS-7
#released updates
[updates]
name=CentOS-$releasever - Updates - 163.com
#mirrorlist=https://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
baseurl=https://mirrors.163.com/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=https://mirrors.163.com/centos/RPM-GPG-KEY-CentOS-7
#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras - 163.com
#mirrorlist=https://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
baseurl=https://mirrors.163.com/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=https://mirrors.163.com/centos/RPM-GPG-KEY-CentOS-7
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus - 163.com
baseurl=https://mirrors.163.com/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://mirrors.163.com/centos/RPM-GPG-KEY-CentOS-7
保存:按【Esc】键,输入下面命令进行保存
#输入命令后按【回车】保存
:wq
清除yum缓存
yum clean all
创建yum缓存
yum makecache
安装必要的网络工具
yum install wget net-tools vim nc -y
安装Nginx
#安装epel源
yum install epel-release -y
#安装nginx
yum install nginx -y
#安装stream模块
yum install nginx-mod-stream -y
#运行nginx
systemctl start nginx
#设置nginx开机自动运行
systemctl enable nginx
安装docker
#安装工具
yum install -y yum-utils device-mapper-persistent-data lvm2
#安装阿里云docker源
yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
#创建yum源缓存
yum makecache fast
#安装docker
yum -y install docker-ce
#启动docker
systemctl start docker
#设置docker开机启动
systemctl enable docker
修改docker仓库镜像地址
vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://xxx.mirror.aliyuncs.com"],
"insecure-registries": ["192.168.37.170"]
}
行下面命令让docker重新加载daemon.json,并重启docker
systemctl daemon-load
sysctemct restart docker
安装docker-compose
#下载docker-compose到/usr/local/bin目录,并且命名为docker-compose
sudo wget -O /usr/local/bin/docker-compose "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)"
#为docker-compose添加执行权限
sudo chmod +x /usr/local/bin/docker-compose
#验证docker-compose是否安装成功
docker-compose --version
安装自己的docker容器
#安装Clash
docker run -d --name clash -v "/mnt/sdb1/docker_data/clash:/root/.config/clash" -p "7890:7890" -p "9091:9090" -p "7891:7891" --restart=unless-stopped dreamacro/clash
#安装Clash WebUI
docker run -p 1234:80 -d --name yacd haishanh/yacd
#HTML5測速站点
docker run -d -p 6688:80 --name html5-speedtest ilemonrain/html5-speedtest:latest
#Docker 管理面板
docker run -d -p 8000:8000 -p 9000:9443 --name portainer-ui \
--restart=always \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /mnt/sdb1/docker_data/portainer/data:/data \
cr.portainer.io/portainer/portainer-ce:2.16.1-alpine
### heimdall
docker run -d -p 8081:80 -p 2443:443 --name heimdall \
-v /mnt/sdb1/docker_data/heimdall/config:/config \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Asia/Hongkong \
--restart=always \
linuxserver/heimdall:latest
安装cloudreve网盘程序
建立容器持久化目录
mkdir -p /mnt/sdb1/docker_data/cloudreve
cd /mnt/sdb1/docker_data/cloudreve
mkdir {cloudreve,data}
cd cloudreve
mkdir {avatar,uploads}
touch {conf.ini,cloudreve.db}
cd /mnt/sdb1/docker_data/cloudreve
创建docker-compose.yml
vim docker-compose.yml
输入以下内容
version: "3.8"
services:
cloudreve:
container_name: cloudreve
image: cloudreve/cloudreve:latest
restart: unless-stopped
ports:
- "5212:5212"
volumes:
- temp_data:/data
- ./cloudreve/uploads:/cloudreve/uploads
- ./cloudreve/conf.ini:/cloudreve/conf.ini
- ./cloudreve/cloudreve.db:/cloudreve/cloudreve.db
- ./cloudreve/avatar:/cloudreve/avatar
depends_on:
- aria2
aria2:
container_name: aria2
image: p3terx/aria2-pro
restart: unless-stopped
environment:
- RPC_SECRET=1D44280A256345BA5D8D690598FEC1DA
- RPC_PORT=6800
volumes:
- ./aria2/config:/config
- temp_data:/data
volumes:
temp_data:
driver: local
driver_opts:
type: none
device: $PWD/data
o: bind
使用docker-compose创建容器
docker-compose -f docker-compose.yml up -d
安装qbittorrent
#创建文件
vim docker-compose.yml
写入内容
---
version: "2.1"
services:
qbittorrent:
image: lscr.io/linuxserver/qbittorrent:latest
container_name: qbittorrent
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/London
- WEBUI_PORT=8080
volumes:
- /mnt/sdb1/docker_data/qbittorrent/config:/config
- /mnt/sdb1/docker_data/qbittorrent/downloads:/downloads
ports:
- 8083:8080
- 6881:6881
- 6881:6881/udp
restart: unless-stopped
使用docker-compose创建容器
docker-compose -f docker-compose.yml up -d
安装acme.sh,自动申请证书
acme.sh的GitHub仓库
https://github.com/acmesh-official/acme.sh
wget -O - https://get.acme.sh | sh -s email=[email protected]
配置acme.sh Cloudflare自动签发证书
修改账号配置文件
/root/.acme.sh/account.conf
vim /root/.acme.sh/account.conf
参考以下内容修改
LOG_FILE='/root/.acme.sh/acme.sh.log'
#LOG_LEVEL=1
#AUTO_UPGRADE="1"
#NO_TIMESTAMP=1
#账号邮箱
ACCOUNT_EMAIL='[email protected]'
UPGRADE_HASH='3425a****************************35a2876'
DEFAULT_ACME_SERVER='https://acme-v02.api.letsencrypt.org/directory'
#Cloudflare密钥
SAVED_CF_Key='269f1316d******************067dfe2e22'
#Cloudflare邮箱
SAVED_CF_Email='[email protected]'
#等待DNS时间(s)
Le_DNSSleep='30'
USER_PATH='/sbin:/bin:/usr/sbin:/usr/bin'
使用DNS模式自动申请证书
acme.sh --issue --dns dns_cf -d *.example.com --log --force
根据私有仓库的脚本在定时执行中执行
crontab -e
#定时执行
0 23 * * * sh /your_path/auto_cert/CheckDomainSSLDate.sh
#重启cron
systemctl restart crond
配置Nginx
使用stream模块转发流量
主配置文件
nginx.conf
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
#stream配置
include /etc/nginx/stream.conf;
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
proxy_headers_hash_max_size 51200;
proxy_headers_hash_bucket_size 6400;
map_hash_bucket_size 32;
server_names_hash_bucket_size 64;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen 80;
listen [::]:80;
server_name _;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
server {
listen 9528 ssl;
server_name *.cent.example.com;
root /www/nginx_dir;
#统一证书配置
include conf.d/public_config/cert_cent.example.com.conf;
location / {
default_type text/html;
return 403 "<body style='background-color:black;color:white'><h2><storng>please check your URL.</storong><h2></body>";
}
}
server {
listen 9528 ssl;
server_name *.cent.example.com;
root /www/nginx_dir;
#统一证书配置
include conf.d/public_config/cert_cent.example.com.conf;
location / {
default_type text/html;
return 403 "<body style='background-color:black;color:white'><h2><storng>please check your URL.</storong><h2></body>";
}
}
}
Stream模块
vim /etc/nginx/stream.conf
stream {
upstream web_http {
#指向9529端口的服务(这些server配置为http)
server 127.0.0.1:8012;
}
upstream web_https {
#指向9528端口的服务(这些server配置为https)
server 127.0.0.1:9528;
}
map $ssl_preread_protocol $upstream {
#默认将流量导向web_http
default web_http;
#将以下4个TLS版本的流量导向web_https
"TLSv1.0" web_https;
"TLSv1.1" web_https;
"TLSv1.2" web_https;
"TLSv1.3" web_https;
}
# SSH and SSL on the same port
server {
#接管9527端口流量
listen 9527;
proxy_pass $upstream;
ssl_preread on;
}
}
反向代理docker
vim /etc/nginx/conf.d/docker_proxy_com_https.conf
################## docker管理面板 #################
server {
listen 9528 ssl;
server_name dockerui.cent.example.com;
root /www/nginx_dir;
#统一证书配置
include conf.d/public_config/cert_cent.example.com.conf;
location / {
proxy_pass https://127.0.0.1:9000;
##支持websoket
include conf.d/public_config/proxy_websocket.include;
include conf.d/public_config/proxy.include;
}
##网站LOGO
location = /favicon.ico {
root /www/nginx_dir/dockerui;
}
}
################## 网址展示 #################
server {
listen 9528 ssl;
server_name heimdall.cent.example.com;
root /www/nginx_dir;
#统一证书配置
include conf.d/public_config/cert_cent.example.com.conf;
location / {
proxy_pass http://127.0.0.1:8081;
##支持websoket
include conf.d/public_config/proxy_websocket.include;
include conf.d/public_config/proxy.include;
proxy_set_header X-Forwarded-Host $host:9527;
}
##网站LOGO
location = /favicon.ico {
root /www/nginx_dir/heimdall;
}
}
################## qbittorrent下载 #################
server {
listen 9528 ssl;
server_name qbittorrent.cent.example.com;
root /www/nginx_dir;
#统一证书配置
include conf.d/public_config/cert_cent.example.com.conf;
location / {
proxy_pass http://127.0.0.1:8083;
##支持websoket
include conf.d/public_config/proxy_websocket.include;
include conf.d/public_config/proxy.include;
proxy_set_header X-Forwarded-Host $host:9527;
}
##网站LOGO
location = /favicon.ico {
root /www/nginx_dir/heimdall;
}
}
################## v2ray代理转发 #################
server {
listen 9528 ssl;
server_name v2ray.cent.example.com;
root /www/nginx_dir;
#统一证书配置
include conf.d/public_config/cert_cent.example.com.conf;
location / {
#V2ray
proxy_pass http://127.0.0.1:7890;
##支持websoket
include conf.d/public_config/proxy_websocket.include;
include conf.d/public_config/proxy.include;
}
##网站LOGO
location = /favicon.ico {
root /www/nginx_dir/v2ray;
}
}
################## Clash UI #################
server {
listen 9528 ssl;
server_name clash.cent.example.com;
root /www/nginx_dir;
#统一证书配置
include conf.d/public_config/cert_cent.example.com.conf;
location / {
proxy_pass http://127.0.0.1:1234;
##支持websoket
include conf.d/public_config/proxy_websocket.include;
include conf.d/public_config/proxy.include;
}
##网站LOGO
location = /favicon.ico {
root /www/nginx_dir/clash;
}
}
################## Clash #################
server {
listen 9528 ssl;
server_name clash_core.cent.example.com;
root /www/nginx_dir;
#统一证书配置
include conf.d/public_config/cert_cent.example.com.conf;
location / {
proxy_pass http://127.0.0.1:9091;
##支持websoket
include conf.d/public_config/proxy_websocket.include;
include conf.d/public_config/proxy.include;
}
##网站LOGO
location = /favicon.ico {
root /www/nginx_dir/clash_core;
}
}
################## 在线ssh工具 #################
server {
listen 9528 ssl;
server_name webssh.cent.example.com;
root /www/nginx_dir;
#统一证书配置
include conf.d/public_config/cert_cent.example.com.conf;
location / {
proxy_pass http://127.0.0.1:8182;
##支持websoket
include conf.d/public_config/proxy_websocket.include;
include conf.d/public_config/proxy.include;
}
##网站LOGO
location = /favicon.ico {
root /www/nginx_dir/webssh;
}
}
################## 阿里云盘WebDAV #################
server {
listen 9528 ssl;
server_name aliyun.cent.example.com;
root /www/nginx_dir;
#统一证书配置
include conf.d/public_config/cert_cent.example.com.conf;
location / {
proxy_pass http://127.0.0.1:8087;
##支持websoket
include conf.d/public_config/proxy_websocket.include;
include conf.d/public_config/proxy.include;
}
##网站LOGO
location = /favicon.ico {
root /www/nginx_dir/webssh;
}
}
## clash 配置文件转换
server {
listen 9528 ssl;
server_name subconvert.cent.example.com;
root /www/nginx_dir;
#统一证书配置
include conf.d/public_config/cert_cent.example.com.conf;
large_client_header_buffers 4 5120k;
location / {
proxy_pass http://127.0.0.1:25500;
##支持websoket
include conf.d/public_config/proxy_websocket.include;
include conf.d/public_config/proxy.include;
}
##网站LOGO
location = /favicon.ico {
root /www/nginx_dir/webssh;
}
}
###################剪贴板###################
server {
listen 9528 ssl;
server_name past.cent.example.com;
root /www/nginx_dir;
#统一证书配置
include conf.d/public_config/cert_cent.example.com.conf;
large_client_header_buffers 4 51200k;
location / {
proxy_pass http://127.0.0.1:8088;
##支持websoket
include conf.d/public_config/proxy_websocket.include;
include conf.d/public_config/proxy.include;
}
##网站LOGO
location = /favicon.ico {
root /www/nginx_dir/past;
}
}
server {
listen 9528 ssl;
server_name chat.cent.example.com;
root /www/nginx_dir;
#统一证书配置
include conf.d/public_config/cert_cent.example.com.conf;
large_client_header_buffers 4 51200k;
location / {
proxy_pass http://127.0.0.1:8089;
##支持websoket
include conf.d/public_config/proxy_websocket.include;
include conf.d/public_config/proxy.include;
}
##网站LOGO
location = /favicon.ico {
root /www/nginx_dir/past;
}
}
##############Cloudreve网盘################
server {
listen 9528 ssl;
server_name cloud.cent.example.com;
root /www/nginx_dir;
#统一证书配置
include conf.d/public_config/cert_cent.example.com.conf;
large_client_header_buffers 4 51200k;
client_max_body_size 4096m;
location / {
proxy_pass http://127.0.0.1:5212;
##支持websoket
include conf.d/public_config/proxy_websocket.include;
include conf.d/public_config/proxy.include;
proxy_max_temp_file_size 0;
}
##网站LOGO
## location = /favicon.ico {
## root /www/nginx_dir/past;
## }
}
############## Speed Test 测速 ################
server {
listen 9528 ssl;
server_name speedtest.cent.example.com;
root /www/nginx_dir;
#统一证书配置
include conf.d/public_config/cert_cent.example.com.conf;
large_client_header_buffers 4 51200k;
client_max_body_size 4096m;
location / {
proxy_pass http://127.0.0.1:8093;
##支持websoket
include conf.d/public_config/proxy_websocket.include;
include conf.d/public_config/proxy.include;
}
##网站LOGO
## location = /favicon.ico {
## root /www/nginx_dir/past;
## }
}
################## Alist #################
server {
listen 9528 ssl;
server_name alist.cent.example.com;
root /www/nginx_dir;
#统一证书配置
include conf.d/public_config/cert_cent.example.com.conf;
location / {
proxy_pass http://127.0.0.1:5244;
##支持websoket
include conf.d/public_config/proxy_websocket.include;
include conf.d/public_config/proxy.include;
}
##网站LOGO
location = /favicon.ico {
root /www/nginx_dir/clash;
}
}
################## speedtest #############
server {
listen 9528 ssl;
server_name speedtest.cent.example.com;
root /www/nginx_dir;
#统一证书配置
include conf.d/public_config/cert_cent.example.com.conf;
location / {
#V2ray
proxy_pass http://127.0.0.1:6688; #x-ui
#include conf.d/v2ray_proxy.conf.cf;
}
}
创建目录 public_config
mkdir /etc/nginx/conf.d/public_config
统一证书配置
vim /etc/nginx/conf.d/public_config/cert_cent.example.com.conf
# managed by Certbot
ssl_certificate /root/.acme.sh/*.cent.example.com_ecc/fullchain.cer;
# managed by Certbot
ssl_certificate_key /root/.acme.sh/*.cent.example.com_ecc/*.cent.example.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 ;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
统一代理配置
vim /etc/nginx/conf.d/public_config/proxy.include
##更好的协议头支持
add_header X-Served-By $host;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
#proxy_pass $forward_scheme://$server:$port$request_uri;
添加反向代理websocket配置
vim /etc/nginx/conf.d/public_config/proxy_websocket.include
##对websocket的支持
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
V2ray反向代理配置
vim /etc/nginx/conf.d/public_config/v2ray_proxy.conf.cf
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_intercept_errors on;
error_page 400 /400.html;
安装KMS服务器
参考:https://www.pomato.eu.org/post/buid_my_mskms/
开放防火墙端口
#添加放行端口
firewall-cmd --zone=public --add-port=9527/tcp --permanent
firewall-cmd --zone=public --add-port=1688/tcp --permanent
firewall-cmd --zone=public --add-port=8084/tcp --permanent
#重新加载防火墙规则
firewall-cmd --reload
#列出所有规则
firewall-cmd --list-all
安装Gitlab
参考:https://www.pomato.eu.org/post/installgitlab_centos/
恢复Gitlab
复制备份文件到恢复新机器上
cp your_dir/1687230128_2023_06_20_13.12.0_gitlab_backup.tar /var/opt/gitlab/backups/
停止 puma 和 sidekiq
sudo gitlab-ctl stop puma
sudo gitlab-ctl stop sidekiq
#验证
sudo gitlab-ctl status
恢复备份
sudo gitlab-backup restore BACKUP=1687230128_2023_06_20_13.12.0
安装科学上网连接转换Clash配置文件工具
在GitHub下载程序
https://github.com/tindy2013/subconverter/releases
#下载程序
wget -O subconverter_linux64.tar.gz https://github.com/tindy2013/subconverter/releases/download/v0.7.2/subconverter_linux64.tar.gz
#解压文件
tar -xzf subconverter_linux64.tar.gz
cd subconverter
#添加执行权限
chmod +x subconverter
# 创建执行脚本
vim run_subconvert.sh
输入以下内容
nohup /your_path/subconverter/subconverter > /dev/null &>>/var/log/subconverter.p25500.log 2>&1 &
为 run_subconvert.sh 添加执行权限
chmod +x run_subconvert.sh
设置开机启动
#添加执行权限
chmod +x /etc/rc.d/rc.local
#编辑文件
vim /etc/rc.d/rc.local
添加以下呢容
/your_path/subconverter/run_subconvert.sh
CDN自动测速测试
crontab -e
#################################
#### Cloudflare Speed Test ######
#################################
#0 8 * * * sh /your_path/auto_CF/cfst_hosts.sh
#0 13 * * * sh /your_path/auto_CF/cfst_hosts.sh
0 21 * * * sh /your_path/auto_CF/cfst_hosts.sh
#################################
#### Amazon CDN Speed Test ######
#################################
#10 8 * * * sh /your_path/auto_CF/aws_cfst_hosts.sh
#10 13 * * * sh /your_path/auto_CF/aws_cfst_hosts.sh
#################################
#### Gcore CDN Speed Test #######
#################################
0 8 * * * sh /your_path/auto_CF/gcore_cfst_hosts.sh
0 13 * * * sh /your_path/auto_CF/gcore_cfst_hosts.sh
#重启cron
systemctl restart crond
其他
设置系统代理教程
https://www.pomato.eu.org/linux/centossetproxy/
docker pull代理设置
mkdir -p /etc/systemd/system/docker.service.d
#创建代理配置文件
vim /etc/systemd/system/docker.service.d/http-proxy.conf
输入内容
[Service]
Environment="HTTP_PROXY=http://192.168.3.124:7890"
Environment="HTTPS_PROXY=http://192.168.3.124:7890"
#如果你自己建了私有的镜像仓库,需要 dockerd 绕过代理服务器直连,那么配置 NO_PROXY 变量:
[Service]
Environment="HTTP_PROXY=http://proxy.example.com:80"
Environment="HTTPS_PROXY=https://proxy.example.com:443"
Environment="NO_PROXY=your-registry.com,10.10.10.10,*.example.com"
sudo systemctl daemon-reload
sudo systemctl restart docker
systemctl show --property=Environment docker