逆向行駛 最愛的最殘酷、最美的最虛無
2021新年快樂 🌞㊗☃ 最近利用時間嘗試了HestiaCP、myVesta這兩套源自於VestaCP的虛擬主機管理系統 🐱👓🐱 🐱👓 從特點來說,除了都是只支援Debain系統之外(HestiaCP也支援Ubuntu),都非常強調安全性,但由於HestiaCP本身就有自帶PHP版本選擇器(有5.4、7.0~7.4、8.0可選),這就比較適合建站環境或是愛折騰的小朋友;而且HestiaCP的教學文件比較詳細,其在github上面的星星數量比較多,而且值得一說的是網站設定HSTS、HTTP/2後,在ssllabs測試直接就能拿到A+的成績,不需要在額外折騰喔 🐱🏍 實際安裝操作的感覺也是覺得HestiaCP比較貼近我的使用習慣、而且後台重新美化過 👍😘💪 當然myVesta也是很不錯的,兩者用起來就跟VestaCP差不多,這邊留個筆記做紀錄 🏂🐱🏍🏇
前置動作
由於我的個人習慣一直都是將主機名稱設定為我要設定的網域名稱(通常是子網域),而在HestiaCP的SSL設定可直接套用,所以我覺得HestiaCP比較貼近我的使用習慣 🚅🏎🛸🛥🚆
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# 修改主機名稱 hostnamectl set-hostname lax1.520.be && hostname lax1.520.be exec bash --- # DNS /etc/reslov.conf nameserver 1.1.1.1 nameserver 9.9.9.9 nameserver 2001:2001:: nameserver 2620:fe::fe EOF # cat /etc/reslov.conf --- # 更新系統 apt-get install -y sudo sudo apt-get update sudo apt-get install -y lsb-base screen perl tar unzip gzip bzip2 ftp mtr traceroute mutt cron htop mlocate wget curl net-tools dnsutils lsof ncdu ca-certificates sudo apt-get upgrade -y sudo apt-get autoremove --purge -y |
開始安裝HestiaCP
操作前先進入screen以避免斷線 🤓
screen -S HestiaCP
我這邊的設定是安裝Apache、NGiNX、多重PHP、Bind、Exim、MariaDB、Vsftpd、Fail2Ban,完全排除Email相關的功能是因為會吃非常多的資源;在這邊又發現HestiaCP有一個優點是可以直接指定使用的語系,並且可以指定控制台使用的連接埠 😎 其他相關的安裝選項可以參考HestiaCP的教學文件
|
1 2 3 4 5 |
cd /opt wget -O hst-install.sh https://git.io/JedYV bash hst-install.sh -a yes -n yes -w yes -o yes -v yes -k yes \ -m yes -g no -x yes -z no -c no -t no -i yes -b yes -q yes -d yes \ -r 5566 -l zh-tw -y no -s lax1.520.be -e admin@520.be -f |
由於Debain系統的特性,大多數軟體都刷刷刷的用apt就搞定了,起身動一動、泡個咖啡,大約15分鐘內就能安裝完畢了,而在安裝完畢後會在SSH畫面顯示登入資訊,記得將登入密碼抄下來然後重開機 🤖🤓🤖
調教HestiaCP
# 連結HestiaCP的小程式到/usr/bin來方便操作 🤓
|
1 2 |
source /etc/profile PATH=$PATH:/usr/local/hestia/bin && export PATH |
# 使用主機名稱建立SSL,並產生HSTS、HTTP/2設定來增強安全性,然後強制HTTP轉址到HTTPS 🤓
|
1 2 3 |
v-add-letsencrypt-host v-add-web-domain-ssl-hsts 'admin' 'lax1.520.be' v-add-web-domain-ssl-force 'admin' 'lax1.520.be' |
主機名稱與網域名稱不同者需要改成用此指令 🤖
v-add-letsencrypt-domain admin lax1.520.be
# SSL檔案位置 🤖
/home/admin/conf/web/lax1.520.be/ssl/lax1.520.be.crt
/home/admin/conf/web/lax1.520.be/ssl/lax1.520.be.key
/home/admin/conf/web/lax1.520.be/ssl/lax1.520.be.ca
# 刪除不需要的主機方案 🤓
|
1 2 3 4 5 |
rm -fr /usr/local/hestia/install/rhel rm -fr /usr/local/hestia/install/ubuntu rm -fr /usr/local/hestia/install/debian/7 rm -fr /usr/local/hestia/install/debian/8 rm -fr /usr/local/hestia/install/debian/9 |
# 自訂白名單 🤓
|
1 2 3 4 5 6 7 8 9 10 11 12 |
touch /etc/iptables.up.rules ### CloudFlare 白名單 for x in $(curl https://www.cloudflare.com/ips-v4); do v-add-firewall-rule accept $x 0; done --- ### HetrixTools 白名單 for x in $(curl https://hetrixtools.com/resources/uptime-monitor-only-ips.txt); do v-add-firewall-rule accept $x 0; done # cat /usr/local/hestia/data/firewall/rules.conf --- ### MxToolbox 白名單 v-add-firewall-rule 'ACCEPT' '64.20.227.128/24' '0' # MxToolbox v-add-firewall-rule 'ACCEPT' '52.55.244.91/32' '0' # MxToolbox v-add-firewall-rule 'ACCEPT' '18.205.72.90/32' '0' # MxToolbox |
# 範例 – 自訂開放的端口 🤖
|
1 2 3 |
touch /etc/iptables.up.rules v-add-firewall-rule ACCEPT 0.0.0.0/0 22 TCP SSH v-add-firewall-rule ACCEPT 0.0.0.0/0 5566 TCP HestiaCP |
# 自訂Fail2ban白名單 🤓
|
1 2 3 4 5 6 7 8 |
curl -sF 'clbin=<-' https://clbin.com < /etc/fail2ban/jail.conf #> --- cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.bak --- sed -i 's/#ignoreip = 127.0.0.1\/8 ::1/ignoreip = 127.0.0.1\/8 ::1 192.168.1.0\/24 1.1.1.1 9.9.9.9 2001:2001:: 2620:fe::fe/g' /etc/fail2ban/jail.conf # cat /etc/fail2ban/jail.conf | grep ignoreip systemctl restart fail2ban |
調教PHP
由於PHP 7.3版本不新也不舊,相關的套件也多,所以比起其他版本是比較適合建站環境,推薦使用 🤓🤖🤓
|
1 2 |
v-change-web-domain-backend-tpl 'admin' 'lax1.520.be' 'PHP-7_3' v-change-user-php-cli 'admin' '7.3' |
# 調整PHP 7.3參數,記憶體大一點的可以額外再提高opcache.memory_consumption這個參數 🤓
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 |
curl -sF 'clbin=<-' https://clbin.com < /etc/php/7.3/fpm/php.ini #> --- cp /etc/php/7.3/fpm/php.ini /etc/php/7.3/fpm/php.ini.bak sed -i 's/; disable_functions/disable_function/g' /etc/php/7.3/fpm/php.ini sed -i 's/disable_functions =.*/disable_functions = passthru,system,chroot,chgrp,chown,ini_alter,ini_restore,dl,symlink,popepassthru,stream_socket_server,fsocket/g' /etc/php/7.3/fpm/php.ini clear # cat /etc/php/7.3/fpm/php.ini | grep disable_functions # vi +/disable_functions /etc/php/7.3/fpm/php.ini --- sed -i 's/memory_limit =.*/memory_limit = 1024M/g' /etc/php/7.3/fpm/php.ini clear # cat /etc/php/7.3/fpm/php.ini | grep memory_limit # vi +/memory_limit /etc/php/7.3/fpm/php.ini --- sed -i 's/post_max_size =.*/post_max_size = 1024M/g' /etc/php/7.3/fpm/php.ini clear # cat /etc/php/7.3/fpm/php.ini | grep post_max_size # vi +/post_max_size /etc/php/7.3/fpm/php.ini --- sed -i 's/upload_max_filesize =.*/upload_max_filesize = 1024M/g' /etc/php/7.3/fpm/php.ini clear # cat /etc/php/7.3/fpm/php.ini | grep upload_max_filesize # vi +/upload_max_filesize /etc/php/7.3/fpm/php.ini --- sed -i 's/post_max_size =.*/post_max_size = 1024M/g' /etc/php/7.3/fpm/php.ini clear # cat /etc/php/7.3/fpm/php.ini | grep post_max_size # vi +/post_max_size /etc/php/7.3/fpm/php.ini --- sed -i 's/upload_max_filesize =.*/upload_max_filesize = 1024M/g' /etc/php/7.3/fpm/php.ini clear # cat /etc/php/7.3/fpm/php.ini | grep upload_max_filesize # vi +/upload_max_filesize /etc/php/7.3/fpm/php.ini --- sed -i 's/max_execution_time =.*/max_execution_time = 600/g' /etc/php/7.3/fpm/php.ini clear # cat /etc/php/7.3/fpm/php.ini | grep max_execution_time # vi +/max_execution_time /etc/php/7.3/fpm/php.ini --- sed -i 's/max_input_time =.*/max_input_time = 600/g' /etc/php/7.3/fpm/php.ini clear # cat /etc/php/7.3/fpm/php.ini | grep max_input_time # vi +/max_input_time /etc/php/7.3/fpm/php.ini --- sed -i 's/max_file_uploads =.*/max_file_uploads = 2000/g' /etc/php/7.3/fpm/php.ini clear # cat /etc/php/7.3/fpm/php.ini | grep max_file_uploads # vi +/max_file_uploads /etc/php/7.3/fpm/php.ini --- sed -i 's/max_input_vars =.*/max_input_vars = 5000/g' /etc/php/7.3/fpm/php.ini clear # cat /etc/php/7.3/fpm/php.ini | grep max_input_vars # vi +/max_input_vars /etc/php/7.3/fpm/php.ini --- sed -i 's/date.timezone =.*/date.timezone = Asia\/\Taipei/g' /etc/php/7.3/fpm/php.ini clear # cat /etc/php/7.3/fpm/php.ini | grep date.timezone # vi +/date.timezone /etc/php/7.3/fpm/php.ini --- sed -i 's/;session.cookie_secure =.*/session.cookie_secure = True/g' /etc/php/7.3/fpm/php.ini clear # cat /etc/php/7.3/fpm/php.ini | grep session.cookie_secure # vi +/session.cookie_secure /etc/php/7.3/fpm/php.ini --- sed -i '/opcache.enable/d' /etc/php/7.3/fpm/php.ini echo "opcache.enable=1" >> /etc/php/7.3/fpm/php.ini sed -i '/opcache.memory_consumption/d' /etc/php/7.3/fpm/php.ini echo "opcache.memory_consumption=128" >> /etc/php/7.3/fpm/php.ini sed -i '/opcache.interned_strings_buffer/d' /etc/php/7.3/fpm/php.ini echo "opcache.interned_strings_buffer=8" >> /etc/php/7.3/fpm/php.ini sed -i '/opcache.max_accelerated_files/d' /etc/php/7.3/fpm/php.ini echo "opcache.max_accelerated_files=4000" >> /etc/php/7.3/fpm/php.ini sed -i '/opcache.revalidate_freq/d' /etc/php/7.3/fpm/php.ini echo "opcache.revalidate_freq=60" >> /etc/php/7.3/fpm/php.ini sed -i '/opcache.fast_shutdown/d' /etc/php/7.3/fpm/php.ini echo "opcache.fast_shutdown=1" >> /etc/php/7.3/fpm/php.ini clear # cat /etc/php/7.3/fpm/php.ini | grep opcache /usr/sbin/apachectl -t |
這邊最尾端只要出現Syntax OK的訊息,就代表設定都OK了~ 🤖
# 安裝Sqlite3、Redis、Memcached 🤓
|
1 |
apt update && apt install -y sqlite3 redis-server redis-tools memcached |
# 安裝相關PHP套件 🤓
|
1 |
apt install -y php-memcache php-memcached php-redis php-sqlite3 php7.3-memcache php7.3-memcached php7.3-redis php7.3-sqlite3 |
# 調整Redis參數,記憶體大一點的可以額外再提高maxmemory這個參數 🤓
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
curl -sF 'clbin=<-' https://clbin.com < /etc/redis/redis.conf #> --- cp /etc/redis/redis.conf /etc/redis/redis.conf.bak sed -i 's/# maxclients 10000/maxclients 128/g' /etc/redis/redis.conf clear # cat /etc/redis/redis.conf | grep maxclients sed -i 's/daemonize no/daemonize yes/g' /etc/redis/redis.conf clear # cat /etc/redis/redis.conf | grep daemonize sed -i 's/timeout 0/timeout 300/g' /etc/redis/redis.conf clear # cat /etc/redis/redis.conf | grep timeout sed -i 's/# maxmemory <bytes>/maxmemory 256mb/g' /etc/redis/redis.conf clear cat /etc/redis/redis.conf | grep maxmemory sed -i '/overcommit_memory/d' /etc/sysctl.conf sed -i '$avm.overcommit_memory = 1' /etc/sysctl.conf clear # cat /etc/sysctl.conf | grep overcommit_memory usermod -aG redis admin # cat /etc/redis/redis.conf | grep maxmemory |
# 重啟並驗證Redis 🤓
systemctl restart redis
systemctl restart php7.3-fpm
systemctl restart apache2
ps ax | grep redis-server && lsof -itcp -n -P | grep redis-server
php -m | grep redis
php -m | grep igbinary
redis-cli MONITOR
這邊只要都有出現回應就代表OK了 🤖
調教MariaDB
# 變更資料庫編碼為utf8mb4,防止表情符號出現亂碼 🤓
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
mkdir -p /etc/mysql/conf.d cat <<"EOF" > /etc/mysql/conf.d/mysql.cnf [client] default-character-set=utf8mb4 [mysql] default-character-set=utf8mb4 [mysqld] character-set-client-handshake=FALSE character-set-server=utf8mb4 collation-server=utf8mb4_unicode_ci init_connect='SET NAMES utf8mb4' EOF # cat /etc/mysql/conf.d/mysql.cnf --- # 重啟MySQL systemctl restart mysql ps ax | grep mysqld && lsof -itcp -n -P | grep mysqld |
# 查詢MySQL root密碼 🤓
cat /usr/local/hestia/conf/mysql.conf | grep PASSWORD
# 將上面查詢到的MySQL root密碼,替換到下面的OOXX,然後顯示目前編碼 🤓
mysql -u root -pOOXX
show variables where variable_name like 'character_set_%' or variable_name like 'collation%';
quit
mysqladmin -u root -pOOXX status
建立初始環境
# 建立FTP帳號,登錄帳號admin_ftp001,登錄密碼OOXX 🤓
groupadd sftp-only
v-add-web-domain-ftp admin lax1.520.be ftp001 OOXX
# 建立資料庫,資料庫名稱admin_001、使用者名稱admin_001、使用者密碼OOXX 🤓
v-add-database admin 001 001 OOXX mysql
# 建立網站統計 🤓
v-change-web-domain-stats 'admin' 'lax1.520.be' 'awstats'
# 下載常用工具 🤓
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# 下載X探針 wget -O /home/admin/web/lax1.520.be/public_html/x-prober.php https://git.io/JLAbS # 下載PHP效能測試工具 wget -O /home/admin/web/lax1.520.be/public_html/php-benchmark-script.php https://git.io/JLAbQ # 下載檢測PHP執行使用者帳號工具 wget -O /home/admin/web/lax1.520.be/public_html/whoami.php https://git.io/JLAbF # 下載WoltLab PHP環境檢測工具 wget -O /home/admin/web/lax1.520.be/public_html/woltlab-test.php https://www.woltlab.com/media/301-test-php/ --- # 重設權限 wget -O /usr/local/hestia/bin/v-fix-websites-permissions https://git.io/Je4Df chmod +x /usr/local/hestia/bin/v-fix-websites-permissions sed -i 's#$VESTA/bin/v-list-sys-users#v-list-sys-users#g' /usr/local/hestia/bin/v-fix-websites-permissions # cat /usr/local/hestia/bin/v-fix-websites-permissions | grep v-list-sys-users v-fix-websites-permissions |
##### 初始環境
HestiaCP: https://lax1.520.be:8083/
帳號:admin
密碼:OOXX
> ftp://admin_ftp001:OOXX@lax1.520.be/public_html
# FTP帳號admin_ftp001
# FTP密碼OOXX
# 本機路徑: /home/admin/web/lax1.520.be/public_html
# MySQL資料庫名稱: admin_001
# MySQL帳號: admin_001
# MySQL密碼: OOXX
# 常用工具
> http://lax1.520.be/phpmyadmin/
> http://lax1.520.be/x-prober.php
> http://lax1.520.be/whoami.php
> http://lax1.520.be/php-benchmark-script.php
> http://lax1.520.be/woltlab-test.php
結語
由於VestaCP這套的虛擬主機管理系統已經已經很成熟,所以HestiaCP要調教的地方不多 🤷♂️🤷♀️🤷♂️ 實際上在2GB記憶體的VPS上運作跑Wordpress就非常順暢,控制台也比VestaCP好看很多,目前使用下來的感覺就只差期待日後能支援IPv6 🍻🍺🍻
ref.
- Hestia Control Panel’s documentation!
- Hestia Control Panel’s CLI Core Scripts
- How to setup Let’s Encrypt for the control panel
- How to setup a DNS Cluster
- IPTables How can I allow/deny an IP to all ports
- [HOWTO] Correct files and folders permissions and ownership – Vesta Control Panel – Forum
- Whitelist – Fail2ban
