逆向行驶 最爱的最残酷、最美的最虚无
2021新年快乐 🌞㊗☃ 最近利用时间尝试了HestiaCP、myVesta这两套源自于VestaCP的虚拟主机管理系统 🐱👓🐱 🐱👓 从特点来说,除了都是只支援Debain系统之外(HestiaCP也支援Ubuntu),都非常强调安全性,但由于HestiaCP本身就有自带PHP版本选择器(有5.4、7.0~7.4、8.0可选),这就比较适合建站环境或是爱折腾的小朋友;而且HestiaCP的教学文件比较详细,其在github上面的星星数量比较多,而且值得一说的是网站设定HSTS、HTTP/2后,在ssllabs测试直接就能拿到A+的成绩,不需要在额外折腾喔 🐱🏍 实际安装操作的感觉也是觉得HestiaCP比较贴近我的使用习惯、而且后台重新美化过 👍😘💪 当然myVesta也是很不错的,两者用起来就跟VestaCP差不多,这边留个笔记做纪录 🏂🐱🏍🏇
前置动作
由于我的个人习惯一直都是将主机名称设定为我要设定的网域名称(通常是子网域),而在HestiaCP的SSL设定可直接套用,所以我觉得HestiaCP比较贴近我的使用习惯 🚅🏎🛸🛥🚆
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# 修改主机名称 hostnamectl set-hostname lax1.520.be && hostname lax1.520.be exec bash --- # DNS /etc/reslov.conf nameserver 1.1.1.1 nameserver 9.9.9.9 nameserver 2001:2001:: nameserver 2620:fe::fe EOF # cat /etc/reslov.conf --- # 更新系统 apt-get install -y sudo sudo apt-get update sudo apt-get install -y lsb-base screen perl tar unzip gzip bzip2 ftp mtr traceroute mutt cron htop mlocate wget curl net-tools dnsutils lsof ncdu ca-certificates sudo apt-get upgrade -y sudo apt-get autoremove --purge -y |
开始安装HestiaCP
操作前先进入screen以避免断线 🤓
screen -S HestiaCP
我这边的设定是安装Apache、NGiNX、多重PHP、Bind、Exim、MariaDB、Vsftpd、Fail2Ban,完全排除Email相关的功能是因为会吃非常多的资源;在这边又发现HestiaCP有一个优点是可以直接指定使用的语系,并且可以指定控制台使用的连接埠 😎 其他相关的安装选项可以参考HestiaCP的教学文件
|
1 2 3 4 5 |
cd /opt wget -O hst-install.sh https://git.io/JedYV bash hst-install.sh -a yes -n yes -w yes -o yes -v yes -k yes \ -m yes -g no -x yes -z no -c no -t no -i yes -b yes -q yes -d yes \ -r 5566 -l zh-tw -y no -s lax1.520.be -e admin@520.be -f |
由于Debain系统的特性,大多数软件都刷刷刷的用apt就搞定了,起身动一动、泡个咖啡,大约15分钟内就能安装完毕了,而在安装完毕后会在SSH画面显示登入资讯,记得将登入密码抄下来然后重开机 🤖🤓🤖
调教HestiaCP
# 连结HestiaCP的小程式到/usr/bin来方便操作 🤓
|
1 2 |
source /etc/profile PATH=$PATH:/usr/local/hestia/bin && export PATH |
# 使用主机名称建立SSL,并产生HSTS、HTTP/2设定来增强安全性,然后强制HTTP转址到HTTPS 🤓
|
1 2 3 |
v-add-letsencrypt-host v-add-web-domain-ssl-hsts 'admin' 'lax1.520.be' v-add-web-domain-ssl-force 'admin' 'lax1.520.be' |
主机名称与网域名称不同者需要改成用此指令 🤖
v-add-letsencrypt-domain admin lax1.520.be
# SSL档案位置 🤖
/home/admin/conf/web/lax1.520.be/ssl/lax1.520.be.crt
/home/admin/conf/web/lax1.520.be/ssl/lax1.520.be.key
/home/admin/conf/web/lax1.520.be/ssl/lax1.520.be.ca
# 删除不需要的主机方案 🤓
|
1 2 3 4 5 |
rm -fr /usr/local/hestia/install/rhel rm -fr /usr/local/hestia/install/ubuntu rm -fr /usr/local/hestia/install/debian/7 rm -fr /usr/local/hestia/install/debian/8 rm -fr /usr/local/hestia/install/debian/9 |
# 自订白名单 🤓
|
1 2 3 4 5 6 7 8 9 10 11 12 |
touch /etc/iptables.up.rules ### CloudFlare 白名单 for x in $(curl https://www.cloudflare.com/ips-v4); do v-add-firewall-rule accept $x 0; done --- ### HetrixTools 白名单 for x in $(curl https://hetrixtools.com/resources/uptime-monitor-only-ips.txt); do v-add-firewall-rule accept $x 0; done # cat /usr/local/hestia/data/firewall/rules.conf --- ### MxToolbox 白名单 v-add-firewall-rule 'ACCEPT' '64.20.227.128/24' '0' # MxToolbox v-add-firewall-rule 'ACCEPT' '52.55.244.91/32' '0' # MxToolbox v-add-firewall-rule 'ACCEPT' '18.205.72.90/32' '0' # MxToolbox |
# 范例 – 自订开放的端口 🤖
|
1 2 3 |
touch /etc/iptables.up.rules v-add-firewall-rule ACCEPT 0.0.0.0/0 22 TCP SSH v-add-firewall-rule ACCEPT 0.0.0.0/0 5566 TCP HestiaCP |
# 自订Fail2ban白名单 🤓
|
1 2 3 4 5 6 7 8 |
curl -sF 'clbin=<-' https://clbin.com < /etc/fail2ban/jail.conf #> --- cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.bak --- sed -i 's/#ignoreip = 127.0.0.1\/8 ::1/ignoreip = 127.0.0.1\/8 ::1 192.168.1.0\/24 1.1.1.1 9.9.9.9 2001:2001:: 2620:fe::fe/g' /etc/fail2ban/jail.conf # cat /etc/fail2ban/jail.conf | grep ignoreip systemctl restart fail2ban |
调教PHP
由于PHP 7.3版本不新也不旧,相关的套件也多,所以比起其他版本是比较适合建站环境,推荐使用 🤓🤖🤓
|
1 2 |
v-change-web-domain-backend-tpl 'admin' 'lax1.520.be' 'PHP-7_3' v-change-user-php-cli 'admin' '7.3' |
# 调整PHP 7.3参数,内存大一点的可以额外再提高opcache.memory_consumption这个参数 🤓
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 |
curl -sF 'clbin=<-' https://clbin.com < /etc/php/7.3/fpm/php.ini #> --- cp /etc/php/7.3/fpm/php.ini /etc/php/7.3/fpm/php.ini.bak sed -i 's/; disable_functions/disable_function/g' /etc/php/7.3/fpm/php.ini sed -i 's/disable_functions =.*/disable_functions = passthru,system,chroot,chgrp,chown,ini_alter,ini_restore,dl,symlink,popepassthru,stream_socket_server,fsocket/g' /etc/php/7.3/fpm/php.ini clear # cat /etc/php/7.3/fpm/php.ini | grep disable_functions # vi +/disable_functions /etc/php/7.3/fpm/php.ini --- sed -i 's/memory_limit =.*/memory_limit = 1024M/g' /etc/php/7.3/fpm/php.ini clear # cat /etc/php/7.3/fpm/php.ini | grep memory_limit # vi +/memory_limit /etc/php/7.3/fpm/php.ini --- sed -i 's/post_max_size =.*/post_max_size = 1024M/g' /etc/php/7.3/fpm/php.ini clear # cat /etc/php/7.3/fpm/php.ini | grep post_max_size # vi +/post_max_size /etc/php/7.3/fpm/php.ini --- sed -i 's/upload_max_filesize =.*/upload_max_filesize = 1024M/g' /etc/php/7.3/fpm/php.ini clear # cat /etc/php/7.3/fpm/php.ini | grep upload_max_filesize # vi +/upload_max_filesize /etc/php/7.3/fpm/php.ini --- sed -i 's/post_max_size =.*/post_max_size = 1024M/g' /etc/php/7.3/fpm/php.ini clear # cat /etc/php/7.3/fpm/php.ini | grep post_max_size # vi +/post_max_size /etc/php/7.3/fpm/php.ini --- sed -i 's/upload_max_filesize =.*/upload_max_filesize = 1024M/g' /etc/php/7.3/fpm/php.ini clear # cat /etc/php/7.3/fpm/php.ini | grep upload_max_filesize # vi +/upload_max_filesize /etc/php/7.3/fpm/php.ini --- sed -i 's/max_execution_time =.*/max_execution_time = 600/g' /etc/php/7.3/fpm/php.ini clear # cat /etc/php/7.3/fpm/php.ini | grep max_execution_time # vi +/max_execution_time /etc/php/7.3/fpm/php.ini --- sed -i 's/max_input_time =.*/max_input_time = 600/g' /etc/php/7.3/fpm/php.ini clear # cat /etc/php/7.3/fpm/php.ini | grep max_input_time # vi +/max_input_time /etc/php/7.3/fpm/php.ini --- sed -i 's/max_file_uploads =.*/max_file_uploads = 2000/g' /etc/php/7.3/fpm/php.ini clear # cat /etc/php/7.3/fpm/php.ini | grep max_file_uploads # vi +/max_file_uploads /etc/php/7.3/fpm/php.ini --- sed -i 's/max_input_vars =.*/max_input_vars = 5000/g' /etc/php/7.3/fpm/php.ini clear # cat /etc/php/7.3/fpm/php.ini | grep max_input_vars # vi +/max_input_vars /etc/php/7.3/fpm/php.ini --- sed -i 's/date.timezone =.*/date.timezone = Asia\/\Taipei/g' /etc/php/7.3/fpm/php.ini clear # cat /etc/php/7.3/fpm/php.ini | grep date.timezone # vi +/date.timezone /etc/php/7.3/fpm/php.ini --- sed -i 's/;session.cookie_secure =.*/session.cookie_secure = True/g' /etc/php/7.3/fpm/php.ini clear # cat /etc/php/7.3/fpm/php.ini | grep session.cookie_secure # vi +/session.cookie_secure /etc/php/7.3/fpm/php.ini --- sed -i '/opcache.enable/d' /etc/php/7.3/fpm/php.ini echo "opcache.enable=1" >> /etc/php/7.3/fpm/php.ini sed -i '/opcache.memory_consumption/d' /etc/php/7.3/fpm/php.ini echo "opcache.memory_consumption=128" >> /etc/php/7.3/fpm/php.ini sed -i '/opcache.interned_strings_buffer/d' /etc/php/7.3/fpm/php.ini echo "opcache.interned_strings_buffer=8" >> /etc/php/7.3/fpm/php.ini sed -i '/opcache.max_accelerated_files/d' /etc/php/7.3/fpm/php.ini echo "opcache.max_accelerated_files=4000" >> /etc/php/7.3/fpm/php.ini sed -i '/opcache.revalidate_freq/d' /etc/php/7.3/fpm/php.ini echo "opcache.revalidate_freq=60" >> /etc/php/7.3/fpm/php.ini sed -i '/opcache.fast_shutdown/d' /etc/php/7.3/fpm/php.ini echo "opcache.fast_shutdown=1" >> /etc/php/7.3/fpm/php.ini clear # cat /etc/php/7.3/fpm/php.ini | grep opcache /usr/sbin/apachectl -t |
这边最尾端只要出现Syntax OK的讯息,就代表设定都OK了~ 🤖
# 安装Sqlite3、Redis、Memcached 🤓
|
1 |
apt update && apt install -y sqlite3 redis-server redis-tools memcached |
# 安装相关PHP套件 🤓
|
1 |
apt install -y php-memcache php-memcached php-redis php-sqlite3 php7.3-memcache php7.3-memcached php7.3-redis php7.3-sqlite3 |
# 调整Redis参数,内存大一点的可以额外再提高maxmemory这个参数 🤓
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
curl -sF 'clbin=<-' https://clbin.com < /etc/redis/redis.conf #> --- cp /etc/redis/redis.conf /etc/redis/redis.conf.bak sed -i 's/# maxclients 10000/maxclients 128/g' /etc/redis/redis.conf clear # cat /etc/redis/redis.conf | grep maxclients sed -i 's/daemonize no/daemonize yes/g' /etc/redis/redis.conf clear # cat /etc/redis/redis.conf | grep daemonize sed -i 's/timeout 0/timeout 300/g' /etc/redis/redis.conf clear # cat /etc/redis/redis.conf | grep timeout sed -i 's/# maxmemory <bytes>/maxmemory 256mb/g' /etc/redis/redis.conf clear cat /etc/redis/redis.conf | grep maxmemory sed -i '/overcommit_memory/d' /etc/sysctl.conf sed -i '$avm.overcommit_memory = 1' /etc/sysctl.conf clear # cat /etc/sysctl.conf | grep overcommit_memory usermod -aG redis admin # cat /etc/redis/redis.conf | grep maxmemory |
# 重启并验证Redis 🤓
systemctl restart redis
systemctl restart php7.3-fpm
systemctl restart apache2
ps ax | grep redis-server && lsof -itcp -n -P | grep redis-server
php -m | grep redis
php -m | grep igbinary
redis-cli MONITOR
这边只要都有出现回应就代表OK了 🤖
调教MariaDB
# 变更数据库编码为utf8mb4,防止表情符号出现乱码 🤓
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
mkdir -p /etc/mysql/conf.d cat <<"EOF" > /etc/mysql/conf.d/mysql.cnf [client] default-character-set=utf8mb4 [mysql] default-character-set=utf8mb4 [mysqld] character-set-client-handshake=FALSE character-set-server=utf8mb4 collation-server=utf8mb4_unicode_ci init_connect='SET NAMES utf8mb4' EOF # cat /etc/mysql/conf.d/mysql.cnf --- # 重启MySQL systemctl restart mysql ps ax | grep mysqld && lsof -itcp -n -P | grep mysqld |
# 查询MySQL root密码 🤓
cat /usr/local/hestia/conf/mysql.conf | grep PASSWORD
# 将上面查询到的MySQL root密码,替换到下面的OOXX,然后显示目前编码 🤓
mysql -u root -pOOXX
show variables where variable_name like 'character_set_%' or variable_name like 'collation%';
quit
mysqladmin -u root -pOOXX status
建立初始环境
# 建立FTP帐号,登录帐号admin_ftp001,登录密码OOXX 🤓
groupadd sftp-only
v-add-web-domain-ftp admin lax1.520.be ftp001 OOXX
# 建立数据库,数据库名称admin_001、使用者名称admin_001、使用者密码OOXX 🤓
v-add-database admin 001 001 OOXX mysql
# 建立网站统计 🤓
v-change-web-domain-stats 'admin' 'lax1.520.be' 'awstats'
# 下载常用工具 🤓
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# 下载X探针 wget -O /home/admin/web/lax1.520.be/public_html/x-prober.php https://git.io/JLAbS # 下载PHP效能测试工具 wget -O /home/admin/web/lax1.520.be/public_html/php-benchmark-script.php https://git.io/JLAbQ # 下载检测PHP执行使用者帐号工具 wget -O /home/admin/web/lax1.520.be/public_html/whoami.php https://git.io/JLAbF # 下载WoltLab PHP环境检测工具 wget -O /home/admin/web/lax1.520.be/public_html/woltlab-test.php https://www.woltlab.com/media/301-test-php/ --- # 重设权限 wget -O /usr/local/hestia/bin/v-fix-websites-permissions https://git.io/Je4Df chmod +x /usr/local/hestia/bin/v-fix-websites-permissions sed -i 's#$VESTA/bin/v-list-sys-users#v-list-sys-users#g' /usr/local/hestia/bin/v-fix-websites-permissions # cat /usr/local/hestia/bin/v-fix-websites-permissions | grep v-list-sys-users v-fix-websites-permissions |
##### 初始环境
HestiaCP: https://lax1.520.be:8083/
帐号:admin
密码:OOXX
> ftp://admin_ftp001:OOXX@lax1.520.be/public_html
# FTP帐号admin_ftp001
# FTP密码OOXX
# 本机路径: /home/admin/web/lax1.520.be/public_html
# MySQL数据库名称: admin_001
# MySQL帐号: admin_001
# MySQL密码: OOXX
# 常用工具
> http://lax1.520.be/phpmyadmin/
> http://lax1.520.be/x-prober.php
> http://lax1.520.be/whoami.php
> http://lax1.520.be/php-benchmark-script.php
> http://lax1.520.be/woltlab-test.php
结语
由于VestaCP这套的虚拟主机管理系统已经已经很成熟,所以HestiaCP要调教的地方不多 🤷♂️🤷♀️🤷♂️ 实际上在2GB内存的VPS上运作跑Wordpress就非常顺畅,控制台也比VestaCP好看很多,目前使用下来的感觉就只差期待日后能支援IPv6 🍻🍺🍻
ref.
- Hestia Control Panel’s documentation!
- Hestia Control Panel’s CLI Core Scripts
- How to setup Let’s Encrypt for the control panel
- How to setup a DNS Cluster
- IPTables How can I allow/deny an IP to all ports
- [HOWTO] Correct files and folders permissions and ownership – Vesta Control Panel – Forum
- Whitelist – Fail2ban
打印本文
