centos openvpn实现共享上网

问题描述

在同一局域网内有三个机器,只有一台能上网,没有双网卡,试过使用socks5进行代理,可是没能成功,最后尝试openvpn方案,下面介绍下openvpn配置,记录备忘。

##安装服务端

直接使用yum install openvpn -y 进行安装。

生成证书

openvpn需要使用证书进行校验,客户端与服务端都需要生成对应的证书,在网上找了个脚本Easy-RSA 2.2.2(没有使用最新的版本)。

解压后使用source ./vars导入相关环境变量。

生成ca证书:

./build-ca

生成服务端证书:

# server 为name
./build-key-server server 

生成客户端证书:

# client7 为name
./build-key client7 

生成生成迪菲·赫尔曼交换密钥,openvpn有用到:

./build-dh

服务端配置

使用vim server.conf修改配置文件:

# 端口
port 1194 
# 证书正常名称即可

# 设置服务器为代理路由器,否则客户端流量不走服务器,这点至关重要
push "redirect-gateway def1 bypass-dhcp" 
#设置客户端DNS,否则客户端Ping不通域名
;push "route 192.168.10.0 255.255.255.0" 
;push "route 192.168.20.0 255.255.255.0"

使用vi /etc/sysctl.conf开启路由转发:

net.ipv4.ip_forward = 1

重启内核使其生效:sysctl -p

启动

openvpn server.conf

客户端安装

由于客户端不能上网,所以下载好安装包,传过去:

scp rpm/*.rpm root@192.168.1.7:

进行安装:

rpm -ivh pkcs11-helper-1.11-3.el7.x86_64.rpm;
rpm -ivh lz4-r131-1.el7.x86_64.rpm;
rpm -ivh openvpn-2.4.4-1.el7.x86_64.rpm;

使用vim client.conf修改客户端配置文件 :

# 配置服务端ip与port
remote 192.168.1.8 1194 
# 这句注释掉,不需要tls
tls-auth ta.key 1 
# 修改成自己的
cert client7.crt 
key client7.key 

把证书传过去:

scp ca.crt client7.crt client7.key root@192.168.1.7:/etc/openvpn/client/

启动:

openvpn client.conf

Tmux

tmux is a software application that can be used to multiplex several virtual consoles, allowing a user to access multiple separate terminal sessions inside a single terminal window or remote terminal session.

安装

各个发行版的包管理工具都能很方便的安装,mac osx 下使用Homebrew进行安装:

brew update
brew install tmux

tmux 与 screen 操作对比

显示session列表
– tmux ls
– screen -ls

session创建
– tmux new -s session-name
– screen -S session-name

session取回
– tmux attach
– screen -r

session附加
– tmux attach -t session-name
– screen -r session-name

tmux 常用功能

tmux默认prefix快捷键是C-b(Ctrl + b) ,习惯使用Screen快捷键可以通过修改~/.tmux.conf调整为C-a

# Set the prefix to ^A.
unbind C-b
set -g prefix ^A
bind a send-prefix

下面列出常用功能:
* C-b c 创建一个新窗口
* C-b d 卸载当前窗口
* C-b n 切换到下一个窗口
* C-b p 切换到上一个窗口
* C-b & 删除当前窗口
* C-b , 修改当前窗口名称
* C-b w 列出所有session窗口,可通过标号进行选择
* C-b q 列出所有区块标号,可通过标号进行选择
* C-b % 垂直平分出一个新区块
* C-b o 切换到下一个区块
* C-b { 区块左移
* C-b } 区块右移
* C-b ? 帮助
* C-b :split-window -h 水平分出一个新区块
* C-b :split-window -v 垂直分出一个新区块

MyBookLive重装

重装

家里有一台MyBookLive作为微型NAS,很老旧了,但是一直很好用,与家里的Apple TV3配合很好,想看的东西拖入transmission,它会自动下载,下完后使用ATV3进行观看,1080p基本无卡顿,上面也装了几个小服务在跑,进行必需备份与娱乐完全够用,就没有再折腾,前几天突然心血来潮给改了密码,之后就悲剧了,密码忘记了,虽然功能正常使用,但是对这台设备没有绝对控制权对我来说还是很不爽的,所以选择重装,还好之前有留后手:)

之前把全新镜像rootfs.img放在/DataVolume/shares/Public/内,并把系统resetButtonAction.sh替换掉,这样在系统出现问题就可以通过MyBookLive上面的reset按钮进行系统恢复,并且数据是不会丢失的,不过建议事先备份,总有不靠谱的时候。

#!/bin/bash

PATH=/sbin:/bin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

echo red > /sys/class/leds/a3g_led/color
echo yes > /sys/class/leds/a3g_led/blink

echo

#sets $image_img
image_img="/DataVolume/shares/Public/rootfs.img"
echo

# Sort out what MD device is what
currentRootDevice=`cat /proc/cmdline | awk '/root/ { print $1 }' | cut -d= -f2`
if [ "${currentRootDevice}" = "/dev/md0" ]; then
    upgradeRootDevice="/dev/md1"
elif [ "${currentRootDevice}" = "/dev/md1" ]; then
    upgradeRootDevice="/dev/md0"
else
    echo "Unknown rootfs boot device: '${currentRootDevice}', exiting."
    exit 1
fi

echo "currentRootDevice = ${currentRootDevice}"
echo "upgradeRootDevice = ${upgradeRootDevice}"
echo

# If the upgrade MD device is used, shut it down
if [ -e $upgradeRootDevice ]; then
    echo "stopping upgrade md device ${upgradeRootDevice}"
    echo
    mdadm --stop $upgradeRootDevice
    mdadm --wait $upgradeRootDevice
    sleep 1
fi

echo "Ensure both partitions are members of the original MD device"
# "--remove" only remove failed disks and "--add" them causes resyncing
mdadm ${currentRootDevice} --remove /dev/sda1 #> /dev/null 2>&1
mdadm ${currentRootDevice} --add /dev/sda1    #> /dev/null 2>&1
mdadm --wait ${currentRootDevice}
mdadm ${currentRootDevice} --remove /dev/sda2 #> /dev/null 2>&1
mdadm ${currentRootDevice} --add /dev/sda2    #> /dev/null 2>&1
mdadm --wait ${currentRootDevice}
sleep 1

echo
echo "Setting up the upgraded raid unit"
sync
mdadm --wait ${currentRootDevice}
mdadm ${currentRootDevice} -f /dev/sda1 -r /dev/sda1 2> /dev/null > /dev/null
mdadm --wait ${currentRootDevice}
sleep 1
mdadm --zero-superblock --force --verbose /dev/sda1
mdadm --create ${upgradeRootDevice} --verbose --metadata=0.9 --raid-devices=2 --level=raid1 --run /dev/sda1 missing
mdadm --wait ${upgradeRootDevice}
sleep 1
sync
mkfs.ext3 -c -b 4096 ${upgradeRootDevice}
sync
echo

# installing new image on update device
# img file was searched for by ./findImage.sh
echo "Copy image to upgrade device ${upgradeRootDevice}"
dd if=${image_img} of=${upgradeRootDevice}
echo

# new OS was accepted
mkdir -p /mnt/rootfs
mount ${upgradeRootDevice} /mnt/rootfs

#needed
touch /mnt/rootfs/etc/.updateInProgress
chmod 777 /mnt/rootfs/etc/.updateInProgress

#enable ssh
echo "enabled" > /mnt/rootfs/etc/nas/service_startup/ssh

# copy uboot script too boot directory
if [ ${upgradeRootDevice} == "/dev/md0" ]; then
    cp /mnt/rootfs/usr/local/share/bootmd0.scr /mnt/rootfs/boot/boot.scr
else
    cp /mnt/rootfs/usr/local/share/bootmd1.scr /mnt/rootfs/boot/boot.scr
fi

# some safety since it is a critical step here
sync
sleep 2
umount /mnt/rootfs
sleep 2
sync
echo

# ensures reboot
echo no     > /sys/class/leds/a3g_led/blink
echo yellow > /sys/class/leds/a3g_led/color
echo "all done, now rebooting"
shutdown -r 0

install optware

使用ssh连接到MyBookLive执行下面命令进行optware安装。

wget http://mybookworld.wikidot.com/local--files/optware/setup-mybooklive.sh
sh setup-mybooklive.sh

创建ipkg连接

echo "export PATH=$PATH:/opt/bin:/opt/sbin" >> /root/.bashrc
echo "export PATH=$PATH:/opt/bin:/opt/sbin" >> /etc/profile

重新连接后输入命令进行更新,optware就安好了。

ipkg update

安装 transmission2.84

之前一直使用transmission 进行离线下载,所以这个是必装的,2.84需要自己编译所以时间会长一些。

#!/bin/bash
#
#Compile and Install transmission bittorrent client on mybooklive
#
#Author: Proglin 2015-09-10
#
# Update: 2017-06-14 Update main code with suggestions from HTaborda and olimatis.
# Update: 2016-10-06 by olimatis: New source for Transmission
# Update: 2016-04-24 by HTaborda: Introduced --no-check-certificate to the Transmission source download; server certificate outdated
# Update: 2016-02-26 LibEvent Extract Folder name changed + Compile Changed
# Update: 2016-02-22 LibEvent URL changed
#
# Note:
#  I strong recommend you to download an update firmware
#  Save it in public folder
#  If anything goes wrong you can update your firmware to clean the mess using:
#    /usr/local/sbin/updateFirmwareFromFile.sh /DataVolume/shares/Public/apnc-024310-048-20150507.deb
#
# References:
#https://trac.transmissionbt.com/wiki/Building#DebianSqueeze
#https://trac.transmissionbt.com/wiki/Scripts/initd
#http://falkhusemann.de/blog/2012/05/compiling-transmission-bittorrent-for-debiand/
#http://community.wd.com/t5/My-Book-Live/GUIDE-How-to-unbrick-a-totally-dead-MBL/td-p/435724
#http://support.wd.com/product/download.asp?groupid=902&sid=132&lang=en
start=$SECONDS

# CONFIGURATION TRANSMISSION VERSION
TRANSMISSIONSOURCE='https://github.com/transmission/transmission-releases/raw/master/transmission-2.84.tar.xz'

# EXTRA CONFIGURATIONS
#TMPFOLDER='/root/temp'
#LIBEVENTSOURCE='http://sourceforge.net/projects/levent/files/libevent/libevent-2.0/libevent-2.0.18-stable.tar.gz'
LIBEVENTSOURCE='https://github.com/libevent/libevent/archive/release-2.0.18-stable.tar.gz'
LIBEVENTEXTRACTNAME='libevent-release-2.0.18-stable.tar.gz'

#Change TMP Folder to have more space!
TMPFOLDER='/shares/Public/tmpCompile'
TMP=$TMPFOLDER
TEMP=$TMPFOLDER
TMPDIR=$TMPFOLDER
export TMPDIR TMP TEMP

clear
echo "Welcome! Compile and Install Transmission 2.84"
echo "Created by Proglin v2015-09-10"
echo "      Last Update: v2017-06-14"
echo "ALWAYS back up your data before proceeding."
echo "This script was only tested with MyBookLive firmware 02.43.10-048"
printf "Your firmware version is: ";tail -1 /var/log/version.log
echo ""
echo "NOTE from Author: I have not MyBookLive since 2016. Changes after 2016 are based"
echo "                  on user forum comments."
echo ""
echo "We are going to change some configs to install Tranmission"
read -p "This process takes around 30 minutes. Are you sure? (Y/N)" -n 1 -r
echo    # (optional) move to a new line
if [[ $REPLY =~ ^[Nn]$ ]]
then
    echo "OK. Exiting."
    exit
fi

mkdir -p $TMPFOLDER
if [[ $? > 0 ]]
then
    echo "The command failed, exiting." ; exit
fi

rm -f /var/lib/dpkg/info/wd-nas.*
cp /etc/apt/sources.list $TMPFOLDER/sources.list.bak
echo ""
printf "1/22 Configuring repositories... (part 1/3)"
APTSOURCESOLD="#Modified to install Transmission (old packages)
deb http://archive.debian.org/debian/ squeeze main
deb-src http://archive.debian.org/debian/ squeeze main
#deb http://ftp.br.debian.org/debian/ wheezy main
#deb-src http://ftp.br.debian.org/debian/ wheezy main\n"
printf "$APTSOURCESOLD" > /etc/apt/sources.list

apt-get -qq clean
apt-get -qq update >/dev/null 2>&1
if [[ $? > 0 ]]
then
    echo "The command failed, exiting." ; exit
else
    echo " OK!"
fi

printf "2/22 Installing packages... (part 1/7)"
apt-get -q -y --force-yes --allow-unauthenticated -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" -o Dpkg::Options::="--force-overwrite" install tar >/dev/null 2>&1
if [[ $? > 0 ]]
then
    echo "The command failed, exiting." ; exit
else
    echo " OK!"
fi

printf "3/22 Installing packages... (part 2/7)"
apt-get -q -y --force-yes --allow-unauthenticated -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" -o Dpkg::Options::="--force-overwrite" install ca-certificates >/dev/null 2>&1
if [[ $? > 0 ]]
then
    echo "The command failed, exiting." ; exit
else
    echo " OK!"
fi

printf "4/22 Installing packages... (part 3/7)"
apt-get -q -y --force-yes --allow-unauthenticated -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" -o Dpkg::Options::="--force-overwrite" install intltool >/dev/null 2>&1
if [[ $? > 0 ]]
then
    echo "The command failed, exiting." ; exit
else
    echo " OK!"
fi

printf "5/22 Installing packages... (part 4/7)"
apt-get -q -y --force-yes --allow-unauthenticated -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" -o Dpkg::Options::="--force-overwrite" install build-essential >/dev/null 2>&1
if [[ $? > 0 ]]
then
    echo "The command failed, exiting." ; exit
else
    echo " OK!"
fi

printf "6/22 Installing packages... (part 5/7)"
apt-get -q -y --force-yes --allow-unauthenticated -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" -o Dpkg::Options::="--force-overwrite" install libtool >/dev/null 2>&1
if [[ $? > 0 ]]
then
    echo "The command failed, exiting." ; exit
else
    echo " OK!"
fi

printf "7/22 Configuring repositories... (part 2/3)"
APTSOURCESNEW="#Modified to install Transmission (new packages)
#deb http://archive.debian.org/debian/ squeeze main
#deb-src http://archive.debian.org/debian/ squeeze main
deb http://ftp.br.debian.org/debian/ wheezy main
deb-src http://ftp.br.debian.org/debian/ wheezy main\n"
printf "$APTSOURCESNEW" > /etc/apt/sources.list
apt-get -qq clean
apt-get -qq update 2>/dev/null
if [[ $? > 0 ]]
then
    echo "The command failed, exiting." ; exit
else
    echo " OK!"
fi

printf "8/22 Installing packages... (part 6/7)"
export DEBIAN_FRONTEND=noninteractive
apt-get -qq -y --force-yes --allow-unauthenticated -o Dpkg::Options::="--force-confold" -o Dpkg::Options::="--force-overwrite" -o Dpkg::Options::="--force-confdef" install libssl-dev >/dev/null 2>&1
if [[ $? > 0 ]]
then
    echo "The command failed, exiting." ; exit
else
    echo " OK!"
fi

printf "9/22 Configuring repositories... (part 3/3)"
APTSOURCESOLD="#Modified to install Transmission (old packages)
deb http://archive.debian.org/debian/ squeeze main
deb-src http://archive.debian.org/debian/ squeeze main
#deb http://ftp.br.debian.org/debian/ wheezy main
#deb-src http://ftp.br.debian.org/debian/ wheezy main\n"
printf "$APTSOURCESOLD" > /etc/apt/sources.list

apt-get -qq clean
apt-get -qq update >/dev/null 2>&1
if [[ $? > 0 ]]
then
    echo "The command failed, exiting." ; exit
else
    echo " OK!"
fi

printf "10/22 Installing packages... (part 7/7)"
apt-get -q -y --force-yes --allow-unauthenticated -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" -o Dpkg::Options::="--force-overwrite" install libcurl4-openssl-dev >/dev/null 2>&1
if [[ $? > 0 ]]
then
    echo "The command failed, exiting." ; exit
else
    echo " OK!"
fi

printf "11/22 Downloading sources of LIBEVENT..."
#Getting sources of Transmission and LibEvent
#wget -q $LIBEVENTSOURCE -O $TMPFOLDER/${LIBEVENTSOURCE##*/} >/dev/null 2>&1
wget -q $LIBEVENTSOURCE -O $TMPFOLDER/$LIBEVENTEXTRACTNAME >/dev/null 2>&1
if [[ $? > 0 ]]
then
    echo "The command failed, exiting." ; exit
fi
#extract
#tar xf $TMPFOLDER/${LIBEVENTSOURCE##*/} -C $TMPFOLDER >/dev/null 2>&1
tar xf $TMPFOLDER/$LIBEVENTEXTRACTNAME -C $TMPFOLDER >/dev/null 2>&1
if [[ $? > 0 ]]
then
    echo "The command failed, exiting." ; exit
else
    echo " OK!"
fi

printf "12/22 Downloading sources of TRANSMISSION"
#Getting sources of Transmission and LibEvent
#wget -q $TRANSMISSIONSOURCE -O $TMPFOLDER/${TRANSMISSIONSOURCE##*/} >/dev/null 2>&1
wget --no-check-certificate -q $TRANSMISSIONSOURCE -O $TMPFOLDER/${TRANSMISSIONSOURCE##*/} >/dev/null 2>&1
if [[ $? > 0 ]]
then
    echo "The command failed, exiting." ; exit
fi
#extract
tar xf $TMPFOLDER/${TRANSMISSIONSOURCE##*/} -C $TMPFOLDER >/dev/null 2>&1
if [[ $? > 0 ]]
then
    echo "The command failed, exiting." ; exit
else
    echo " OK!"
fi

#clean cache
apt-get clean

#Getfilenames of directories
#AFTER_SLASH=${LIBEVENTSOURCE##*/}
#file="${AFTER_SLASH%%\?*}"
file=${LIBEVENTEXTRACTNAME}
DIRLIBEVENTSOURCE=${file%.tar.xz}
DIRLIBEVENTSOURCE=${DIRLIBEVENTSOURCE%.tar.gz}

#Configure LIBEVENT
cd $TMPFOLDER/$DIRLIBEVENTSOURCE
printf "13/22 Configuring LIBEVENT to compile..."
./autogen.sh >/dev/null 2>&1
if [[ $? > 0 ]]
then
    echo "The command failed, exiting." ; exit
fi
./configure --prefix=/usr >/dev/null 2>&1
if [[ $? > 0 ]]
then
    echo "The command failed, exiting." ; exit
else
    echo " OK!"
fi

#Compile LIBEVENT
printf "14/22 Compiling LIBEVENT..."
make >/dev/null 2>&1
if [[ $? > 0 ]]
then
    echo "The command failed, exiting." ; exit
else
    echo " OK!"
fi

#Install LIBEVENT
printf "15/22 Installing LIBEVENT..."
make install >/dev/null 2>&1
if [[ $? > 0 ]]
then
    echo "The command failed, exiting." ; exit
else
    echo " OK!"
fi

#Configure TRANSMISSION
AFTER_SLASH=${TRANSMISSIONSOURCE##*/}
file="${AFTER_SLASH%%\?*}"
DIRTRANSMISSION=${file%.tar.xz}
DIRTRANSMISSION=${DIRTRANSMISSION%.tar.gz}

cd $TMPFOLDER/$DIRTRANSMISSION
printf "16/22 Configuring TRANSMISSION to compile..."
./configure --prefix=/usr --enable-lightweight --enable-daemon --enable-utp >/dev/null 2>&1
if [[ $? > 0 ]]
then
    echo "The command failed, exiting." ; exit
else
    echo " OK!"
fi

#Compile TRANSMISSION
printf "17/22 Compiling TRANSMISSION..."
make >/dev/null 2>&1
if [[ $? > 0 ]]
then
    echo "The command failed, exiting." ; exit
else
    echo " OK!"
fi

#Install TRANSMISSION
printf "18/22 Installing TRANSMISSION..."
#mkdir -p /root/.config/transmissiond
make install >/dev/null 2>&1
if [[ $? > 0 ]]
then
    echo "The command failed, exiting." ; exit
else
    echo " OK!"
fi


#settings.json
read -d '' SETTINGSJSON <<"EOF"
{
    "alt-speed-down": 300, 
    "alt-speed-enabled": true, 
    "alt-speed-time-begin": 420, 
    "alt-speed-time-day": 127, 
    "alt-speed-time-enabled": true, 
    "alt-speed-time-end": 30, 
    "alt-speed-up": 10, 
    "bind-address-ipv4": "0.0.0.0", 
    "bind-address-ipv6": "::", 
    "blocklist-enabled": true, 
    "blocklist-url": "http://list.iblocklist.com/?list=bt_level1&fileformat=p2p&archiveformat=gz", 
    "cache-size-mb": 8, 
    "dht-enabled": true, 
    "download-dir": "/DataVolume/shares/Public/Torrents/Completed", 
    "download-queue-enabled": true, 
    "download-queue-size": 5, 
    "encryption": 2, 
    "idle-seeding-limit": 30, 
    "idle-seeding-limit-enabled": true, 
    "incomplete-dir": "/DataVolume/shares/Public/Torrents/Incomplete", 
    "incomplete-dir-enabled": true, 
    "lazy-bitfield-enabled": true, 
    "lpd-enabled": false, 
    "message-level": 2, 
    "peer-congestion-algorithm": "lp", 
    "peer-id-ttl-hours": 6, 
    "peer-limit-global": 260, 
    "peer-limit-per-torrent": 80, 
    "peer-port": 51003, 
    "peer-port-random-high": 65535, 
    "peer-port-random-low": 49152, 
    "peer-port-random-on-start": false, 
    "peer-socket-tos": "lowcost", 
    "pex-enabled": true, 
    "port-forwarding-enabled": false, 
    "preallocation": 2, 
    "prefetch-enabled": 0, 
    "queue-stalled-enabled": true, 
    "queue-stalled-minutes": 60, 
    "ratio-limit": 0.1000, 
    "ratio-limit-enabled": true, 
    "rename-partial-files": true, 
    "rpc-authentication-required": false, 
    "rpc-bind-address": "0.0.0.0", 
    "rpc-enabled": true, 
    "rpc-password": "{ee82e7a5337f8d06704c133d83fd69da54bdc785ixojPp6Z", 
    "rpc-port": 9091, 
    "rpc-url": "/transmission/", 
    "rpc-username": "transmission", 
    "rpc-whitelist": "127.0.0.1,192.168.*.*", 
    "rpc-whitelist-enabled": true, 
    "scrape-paused-torrents-enabled": true, 
    "script-torrent-done-enabled": false, 
    "script-torrent-done-filename": "/DataVolume/shares/Public/Torrents/Scripts/processaTorrent.sh", 
    "seed-queue-enabled": true, 
    "seed-queue-size": 10, 
    "speed-limit-down": 1100, 
    "speed-limit-down-enabled": true, 
    "speed-limit-up": 85, 
    "speed-limit-up-enabled": true, 
    "start-added-torrents": true, 
    "trash-original-torrent-files": true, 
    "umask": 0, 
    "upload-slots-per-torrent": 8, 
    "utp-enabled": true, 
    "watch-dir": "/DataVolume/shares/Public/Torrents/Monitora", 
    "watch-dir-enabled": false
}

EOF

#INIT.D file
read -d '' INITD <<"EOF"
#! /bin/sh
### BEGIN INIT INFO
# Provides:          transmission-daemon
# Required-Start:    networking
# Required-Stop:     networking
# Default-Start:     2 3 5
# Default-Stop:      0 1 6
# Short-Description: Start the transmission BitTorrent daemon client.
### END INIT INFO

# Original Author: Lennart A. Jaette, based on Rob Howell's script
# Modified by Maarten Van Coile & others (on IRC)

# Do NOT "set -e"

#
# ----- CONFIGURATION -----
#
# For the default location Transmission uses, visit:
# http://trac.transmissionbt.com/wiki/ConfigFiles
# For a guide on how set the preferences, visit:
# http://trac.transmissionbt.com/wiki/EditConfigFiles
# For the available environement variables, visit:
# http://trac.transmissionbt.com/wiki/EnvironmentVariables
#
# The name of the user that should run Transmission.
# It's RECOMENDED to run Transmission in it's own user,
# by default, this is set to 'transmission'.
# For the sake of security you shouldn't set a password
# on this user
USERNAME=root


# ----- *ADVANCED* CONFIGURATION -----
# Only change these options if you know what you are doing!
#
# The folder where Transmission stores the config & web files.
# ONLY change this you have it at a non-default location
#TRANSMISSION_HOME="/var/config/transmission-daemon"
#TRANSMISSION_WEB_HOME="/usr/share/transmission/web"
#
# The arguments passed on to transmission-daemon.
# ONLY change this you need to, otherwise use the
# settings file as per above.
#TRANSMISSION_ARGS=""


# ----- END OF CONFIGURATION -----
#
# PATH should only include /usr/* if it runs after the mountnfs.sh script.
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
DESC="bittorrent client"
NAME=transmission-daemon
DAEMON=$(which $NAME)
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME

# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0

# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME

# Load the VERBOSE setting and other rcS variables
[ -f /etc/default/rcS ] && . /etc/default/rcS

#
# Function that starts the daemon/service
#

do_start()
{
    # Export the configuration/web directory, if set
    if [ -n "$TRANSMISSION_HOME" ]; then
          export TRANSMISSION_HOME
    fi
    if [ -n "$TRANSMISSION_WEB_HOME" ]; then
          export TRANSMISSION_WEB_HOME
    fi

    # Return
    #   0 if daemon has been started
    #   1 if daemon was already running
    #   2 if daemon could not be started
    start-stop-daemon --chuid $USERNAME --start --pidfile $PIDFILE --make-pidfile \
            --exec $DAEMON --background --test -- -f $TRANSMISSION_ARGS > /dev/null \
            || return 1
    start-stop-daemon --chuid $USERNAME --start --pidfile $PIDFILE --make-pidfile \
            --exec $DAEMON --background -- -f $TRANSMISSION_ARGS \
            || return 2
}

#
# Function that stops the daemon/service
#
do_stop()
{
        # Return
        #   0 if daemon has been stopped
        #   1 if daemon was already stopped
        #   2 if daemon could not be stopped
        #   other if a failure occurred
        start-stop-daemon --stop --quiet --retry=TERM/10/KILL/5 --pidfile $PIDFILE --exec $DAEMON 
        RETVAL="$?"
        [ "$RETVAL" = 2 ] && return 2

        # Wait for children to finish too if this is a daemon that forks
        # and if the daemon is only ever run from this initscript.
        # If the above conditions are not satisfied then add some other code
        # that waits for the process to drop all resources that could be
        # needed by services started subsequently.  A last resort is to
        # sleep for some time.

        start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
        [ "$?" = 2 ] && return 2

        # Many daemons don't delete their pidfiles when they exit.
        rm -f $PIDFILE

        return "$RETVAL"
}

case "$1" in
  start)
        echo "Starting $DESC" "$NAME..."
        do_start
        case "$?" in
                0|1) echo "   Starting $DESC $NAME succeeded" ;;
                *)   echo "   Starting $DESC $NAME failed" ;;
        esac
        ;;
  stop)
        echo "Stopping $DESC $NAME..."
        do_stop
        case "$?" in
                0|1) echo "   Stopping $DESC $NAME succeeded" ;;
                *)   echo "   Stopping $DESC $NAME failed" ;;
        esac
        ;;
  restart|force-reload)
        #
        # If the "reload" option is implemented then remove the
        # 'force-reload' alias
        #
        echo "Restarting $DESC $NAME..."
        do_stop
        case "$?" in
          0|1)
                do_start
                case "$?" in
                    0|1) echo "   Restarting $DESC $NAME succeeded" ;;
                    *)   echo "   Restarting $DESC $NAME failed: couldn't start $NAME" ;;
                esac
                ;;
          *)
                echo "   Restarting $DESC $NAME failed: couldn't stop $NAME" ;;
        esac
        ;;
  *)
        echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
        exit 3
        ;;
esac

EOF

#Setting TRANSMISSION to auto startup
printf "19/22 Configuring TRANSMISSION to auto startup"
printf "$INITD" > /etc/init.d/transmission-daemon
chmod +x /etc/init.d/transmission-daemon
chown root:root /etc/init.d/transmission-daemon
#Adding autostart to transmission
update-rc.d transmission-daemon defaults >/dev/null 2>&1
if [[ $? > 0 ]]
then
    echo "The command failed, exiting." ; exit
else
    echo " OK!"
fi


#Starting TRANSMISSION
printf "20/22 Configuring TRANSMISSION settings.json"
/etc/init.d/transmission-daemon start >/dev/null 2>&1
if [[ $? > 0 ]]
then
    echo "The command failed, exiting." ; exit
fi

#Wait transmission to create config files structure
sleep 5

/etc/init.d/transmission-daemon stop >/dev/null 2>&1
if [[ $? > 0 ]]
then
    echo "The command failed, exiting." ; exit
fi

#configuring SETTINGS.JSON
printf "$SETTINGSJSON" > /root/.config/transmission-daemon/settings.json
echo " OK!"

printf "21/22 Cleaning temp files"
#Cleaning temp files
cp /etc/apt/sources.list /etc/apt/sources.list.new
cat $TMPFOLDER/sources.list.bak > /etc/apt/sources.list
rm -rf $TMPFOLDER
apt-get clean
echo " OK!"

#Starting TRANSMISSION
printf "22/22 Starting TRANSMISSION"
/etc/init.d/transmission-daemon start >/dev/null 2>&1
if [[ $? > 0 ]]
then
    echo "The command failed, exiting." ; exit
else
    echo " OK!"
fi


end=$SECONDS
echo "Total time: $((end - start)) secs."
echo "Done!"
echo "Cross your fingers and access http://mybooklive:9091/"
echo "TODO: REMEMBER to configure: settings.json" 
echo ""

安装好后修改配置文件。

vim /root/.config/transmission-daemon/settings.json

安装视频服务器

视频服务器使用appletv-mserver版本的,我之前使用的是旧版,这次用新的。

旧版

tar zxvf appletv-mserver-121218.tgz
chmod 755 install.sh
./install.sh
apt-get install screen

编辑/etc/rc.local,添加screen -d -m -S avs /opt/avs/startavs.sh

vim /etc/rc.local
screen -d -m -S avs /opt/avs/startavs.sh

新版

旧版发布的release不是最新的,所以可以使用下面脚本从install packages开始,可以使用svn上最新代码。

#install optware
IPKG=`which ipkg`
if [ -z "$IPKG" ]; then
wget -O - http://mybookworld.wikidot.com/local--files/optware/setup-mybooklive.sh|sh
echo "export PATH=$PATH:/opt/bin:/opt/sbin" >> /root/.bashrc
echo "export PATH=$PATH:/opt/bin:/opt/sbin" >> /etc/profile
fi
export PATH=$PATH:/opt/bin:/opt/sbin
wget -P /etc/init.d http://mybookworld.wikidot.com/local--files/optware/optware.sh
chmod +x /etc/init.d/optware.sh
update-rc.d optware.sh defaults 90 01
mkdir -p /opt/etc/init.d/
# install packages
ipkg update

ipkg install screen
ipkg install svn
ipkg install patch

# configure apache
# ln -s /DataVolume/shares/ /var/www/shares
ln -s /etc/apache2/mods-available/autoindex.conf /etc/apache2/mods-enabled/
ln -s /etc/apache2/mods-available/autoindex.load /etc/apache2/mods-enabled/
ln -s /etc/apache2/mods-available/cgi.load /etc/apache2/mods-enabled/
apache2ctl restart
# install appletv-mserver

cd /root
#svn co http://appletv-mserver.googlecode.com/svn/trunk
wget http://182.16.230.98/appletv-mserver.tgz
tar zxvf appletv-mserver.tgz
cd trunk
sh install.sh

/opt/avs/avs.sh restart

修改我成需要的版本

vim /etc/apache2/sites-available/avs


Listen 8000 <VirtualHost *:8000> ServerAdmin webmaster@localhost DocumentRoot /DataVolume/shares/x/Public/WWW/TR-Downloads <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /DataVolume/shares/x/Public/WWW/TR-Downloads> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny Allow from all RewriteEngine on RewriteBase / RewriteRule ^(.*\.mkv)$ /cgi-bin/mplay.cgi?$1 [R,NC] RewriteRule ^(.*\.mkv).(q.)$ /cgi-bin/mplay.cgi?$1&$2 [R,NC] </Directory> Alias /avs/ "/DataVolume/.avs/" <Directory /DataVolume/.avs/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny Allow from all </Directory> <Directory /DataVolume/.avs/pl/> RewriteEngine on RewriteBase / RewriteRule ^(.*)\.m3u8$ /cgi-bin/m3u8.cgi?$1 [L] RewriteRule ^segment_(.*)\.ts$ /cgi-bin/ts.cgi?$1 [L] </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog /var/log/apache2/avs-error.log LogLevel warn </VirtualHost>

调整mplay.py,把地址换成本地服务器。

vim /usr/lib/cgi-bin/mplay.py

#!/usr/bin/env python
import os
import socket,urllib
try:
    server=os.environ['HTTP_HOST']
except:
    server="192.168.91.4"
try:
    filename=os.environ["QUERY_STRING"]
except:
    filename="share/mbl/Shared%20Videos/2012.09.21.Resident.Evil.Damnation.2012.Blu-ray.720p.x264.DTS.MySilu/Resident.Evil.Damnation.2012.Blu-ray.720p.x264.DTS.MySilu.mkv"
    filename="Public/Shared%20Videos/%e6%96%ad%e7%ae%ad.Broken.Arrow.1996.BluRay.720P.DTS.2Audio.x264-CHD/Broken.Arrow.1996.BluRay.720P.DTS.2Audio.x264-CHD.mkv"

pos=filename.find('&')
arg=''
if pos>=0:
    arg=filename[pos+1:]
    filename=filename[:pos]
filename="/DataVolume/shares/Public/WWW/TR-Downloads/"+urllib.unquote(filename)


s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('127.0.0.1',7890))
if arg=='qa' or arg=='qs':
    if arg=='qa':
        s.send("I%s\n"%filename)
    else:
        s.send("T%s\n"%filename)
    d=s.recv(1024)
    x=list(eval(d))
    length=x[0].strip()
    hour,min,sec=x[0].split(":")
    if sec[-1]==',': sec=sec[:-1]
    alll=int(hour)*3600+int(min)*60+float(sec)
    alll=int(alll)
    ret=[]
    ret.append(alll)
    audios=[]
    try:
        for audline in x[2]:
            info=audline.split("Audio:")
            sid=info[0].split()[1].split('.')[1]
            pos=sid.find("(")
            lang=''
            if pos>=0:
                lang=sid[pos:]
                sid=sid[:pos]
            else:
                if sid[-1]==":":sid=sid[:-1]
            sinfo=lang+info[1].strip()
            audios.append([sid,sinfo])
    except:
        audios=[]
    ret.append(audios)
    if len(x)>3:
        srt=x[3]
        ret.append(srt)
    print "Content-type: text/html\r\n\r\n",
    print str(ret)
else:
    if arg!='':
        filename=filename+'.q'
        if arg[0]=='Q':
            filename=filename+'c'
        else:
            filename=filename+'t'
        filename=filename+arg[1]
    s.send("S%s\n"%filename)
    d=s.recv(1024)
    x=eval(d)
    length=x[0].strip()
    hour,min,sec=x[0].split(":")
    if sec[-1]==',': sec=sec[:-1]
    alll=int(hour)*3600+int(min)*60+float(sec)
    alll=int(alll)
    s.close()
    url='http://%s/avs/pl/%s.m3u8'% (server,alll)
    print "Status: 302 Moved"
    print "Location: %s" % url
    print "URI: %s" % url
    print "Content-type: text/html\r\n\r\n"

增加其他依赖与配置

sed -i "s/AllowOverride None/AllowOverride All/" /etc/apache2/sites-available/wdnas
ln -s /DataVolume/shares/ /var/www/shares
echo "Options +Indexes">/DataVolume/shares/.htaccess
ln -s /DataVolume/shares/appletv /var/www/appletv
echo "Options +Indexes" >/mw2/.htaccess
ln -s /appletv/ /var/www/appletv
echo "Options +Indexes">/appletv/.htaccess
ln -s /DataVolume/shares/media/ /var/www/media
echo "Options +Indexes">/media/.htaccess
ln -s /etc/apache2/mods-available/autoindex.conf /etc/apache2/mods-enabled/
ln -s /etc/apache2/mods-available/autoindex.load /etc/apache2/mods-enabled/

gitlab备份、恢复、迁移

备份

/etc/gitlab/gitlab.rb 文件内的会有gitlab_rails['backup_path']的字段,是存储备份目录,我们可以修改并使用gitlab-ctl reconfigure命令重载生效。

调整好存储备份目录后可以使用下面的命令进行备份:

gitlab-rake gitlab:backup:create

执行后会生成1501724591_2017_08_03_gitlab_backup.tar格式的tar包,其中1501724591为备份编号稍后恢复时需要用到。

恢复

恢复也是非常简单的,但需要先停止gitlab相关服务,把备份好的文件放入存储备份目录后,指定备份编号即可完成恢复

gitlab-ctl stop unicorn
gitlab-ctl stop sidekiq


gitlab-rake gitlab:backup:restore BACKUP=1501724591


sudo gitlab-ctl start

迁移

迁移使用上备份,并把备份文件拷贝到其他设备上进行恢复。

wordpress安装与https配置

安装WordPress

下载并解压WordPress

# 下载
wget -c https://wordpress.org/latest.tar.gz
# 解压
tar -xzvf latest.tar.gz 

安装所需包

yum install php-fpm php-mysql mysql-server php-mbstring php-gd php-pear php-mcrypt php-mhash php-eaccelerator php-suhosin php-tidy php-curl -y

配置数据库,登陆数据库进行如下操作:

# 创建数据库
CREATE DATABASE wordpress;
# 创建专用用户
CREATE USER wordpressuser@localhost;
# 设置密码
SET PASSWORD FOR wordpressuser@localhost= PASSWORD("yourpassword");
# 设置权限
GRANT ALL PRIVILEGES ON wordpress.* TO wordpressuser@localhost IDENTIFIED BY 'yourpassword';
# 更新
FLUSH PRIVILEGES;

修改连接配置文件,增加刚增加的数据库信息。

# 复制sample为配置文件
cp wp-config-sample.php wp-config.php
# 修改配置文件
vim wp-config.php

申请Let’s Encrypt 证书

在配置好nginx后,简单改了改模板样式,正好之前公司项目想配HTTPS,所以紧趁热试一试。

Let’s Encrypt 是个免费、开放的证书签发服务,下面我们就来配置一下。

创建帐号

首选创建rsa帐户

openssl genrsa 4096 > account.key

创建CSR文件

下面生成CSR(Certificate Signing Request)文件,首先创建ECC或RSA私钥

  • RSA私钥(兼容性好):
openssl genrsa 4096 > domain.key
  • 我使用的是ECC私钥:
#secp256r1
openssl ecparam -genkey -name secp256r1 | openssl ec -out domain.key

#secp384r1
openssl ecparam -genkey -name secp384r1 | openssl ec -out domain.key

有了私钥就可以生成CSR,注意把下面的yoursite换成自己的域名。

openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:yoursite.com,DNS:www.yoursite.com")) > domain.csr

配置验证服务

因为需要验证域名所有权,Let’s Encrypt是在域名服务器上访问指定文件进行验证。

修改Nginx

server {
    server_name www.yoursite.com yoursite.com;

    location ^~ /.well-known/acme-challenge/ {
            alias /var/www/challenges/;
            try_files $uri =404;
    }
}

验证并获取证书

这里使用acme-tiny进行申请

wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py

申请

python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir ~/www/challenges/ > ./signed.crt

下载根证书和中间证书并合并

wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cat signed.crt intermediate.pem > chained.pem
wget -O - https://letsencrypt.org/certs/isrgrootx1.pem > root.pem
cat intermediate.pem root.pem > full_chained.pem

服务器需要用到的chained.pemdomain.key就生成好了,可以去配置服务器了。

配置服务器

我使用的是Nginx,配置的过程还是比较痛苦的,因为服务器防火墙抗了半日。

/etc/nginx/conf.d/virtual.conf主要配置了验证申请证书服务,并把所有http跳到https。

server {  
    listen 80;  
    server_name yoursite.com www.yoursite.com;
    location ^~ /.well-known/acme-challenge/ {
            alias /var/www/challenges/;
            try_files $uri =404;
        }

    location / {
        rewrite ^/(.*)$ https://qiknow.com/$1 permanent;
    }
}

/etc/nginx/conf.d/ssl.conf配置了WordPress环境,并ssl_certificate /etc/ssl/chained.pem;ssl_certificate_key /etc/ssl/domain.key;还指定生成的证书文件。

server {
    listen       443 ssl http2 default_server;
    listen       [::]:443 ssl;
    server_name  yoursite.com www.yoursite.com;
    root         /var/www/wordpress;
    index index.php index.html index.htm;

    ssl_certificate /etc/ssl/chained.pem;
    ssl_certificate_key /etc/ssl/domain.key;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;


    error_page 404 /404.html;
        location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
        location = /50x.html {
    }
    location / {
        try_files $uri $uri/ /index.php?$args ;
    }
    location ~ \.php$ {
                root           /var/www/wordpress;
                fastcgi_pass   127.0.0.1:9000;
                fastcgi_index  index.php;
                fastcgi_param  SCRIPT_FILENAME      $document_root$fastcgi_script_name;
                include        fastcgi_params;
    }
}

更新证书

用了一段时间会过期,需要更新证书,步骤如下:


python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/challenges/ > ./signed2.crt wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate2.pem cat signed2.crt intermediate2.pem > chained2.pem wget -O - https://letsencrypt.org/certs/isrgrootx1.pem > root2.pem cat intermediate2.pem root2.pem > full_chained2.pem mv /etc/ssl/chained.pem /etc/ssl/chained.pem.bak cp chained2.pem /etc/ssl/chained.pem service nginx restart