记录一下折腾服务器 - 夜深人静NEON小窝

NOTE
操作系统是阿里云轻型服务器提供的 Debian 12.10，部分内容可能与官方镜像不同。

更新软件包#

sudo apt update
sudo apt upgrade

修改 hostname#

查看

hostname

修改

hostnamectl set-hostname newhostname

设置 swap#

创建 swap#

查看

free -h

创建 swap 文件

sudo fallocate -l 4G /swapfile

swap 大小参考

设置权限

sudo chmod 600 /swapfile

格式化为 swap

sudo mkswap /swapfile

启用 swap

sudo swapon /swapfile

开机启动#

编辑 /etc/fstab

sudo nano /etc/fstab

1
...
2
/swapfile none swap sw 0 0

调整 swappiness#

查看当前值

cat /proc/sys/vm/swappiness

编辑 /etc/sysctl.conf

sudo nano /etc/sysctl.conf

添加或修改 swappiness 值（10 - 20）

1
...
2
vm.swappiness = 10
3
...

修改 SSH 端口#

CAUTION
在确认新端口能连上之前，不要关闭当前 SSH 会话。

查看

sudo ss -tlnp | grep ssh

编辑 /etc/ssh/sshd_config

sudo nano /etc/ssh/sshd_config

先新增端口，确认没问题后再删除 22 端口

1
...
2
Port 22
3
Port 2222
4
...

检查配置是否有误（没有输出就是正常）

sudo sshd -t

重载 SSH 服务

sudo systemctl reload ssh

WARNING
不要使用 restart 防止自己掉线。

测试自己能否成功连接，确认没有问题后就可以把 22 端口的配置注释或者直接删掉。

安装 Docker#

Docker 官方安装教程

普通用户加入 docker 组#

sudo usermod -aG docker youruser

IMPORTANT
加入用户组后需要重启会话才可生效。

配置镜像加速源#

可以在这个网站查看镜像加速源。

修改 /etc/docker/daemon.json

sudo nano /etc/docker/daemon.json

1
{
2
    "registry-mirrors": [
3
        "https://docker.1ms.run",
4
        "https://docker.1panel.live"
5
    ],
6
    "log-driver": "json-file",
7
    "log-opts": {
8
        "max-size": "20m",
9
        "max-file": "3"
10
    }
11
}

重启 Docker

sudo systemctl daemon-reexec
sudo systemctl restart docker

测试

docker run --rm hello-world

部署 nginx#

创建目录

sudo mkdir -p /srv/stack/nginx/{conf.d,log,html}
sudo chown -R admin:admin /srv/stack

创建 /srv/stack/docker-compose.yml

nano /srv/stack/docker-compose.yml

1
services:
2
  nginx:
3
    image: nginx:1.28-alpine
4
    container_name: nginx
5
    ports:
6
      - "80:80"
7
    environment:
8
      - TZ=Asia/Shanghai
9
    volumes:
10
      - /srv/stack/nginx/conf.d:/etc/nginx/conf.d:ro
11
      - /srv/stack/nginx/log:/var/log/nginx
12
      # - /srv/stack/nginx/html:/usr/share/nginx/html
13
    restart: unless-stopped

创建 nginx 配置

nano /srv/stack/nginx/conf.d/default.conf

1
server {
2
    listen       80;
3
    server_name  _;
4

5
    #access_log  /var/log/nginx/host.access.log  main;
6

7
    location / {
8
        root   /usr/share/nginx/html;
9
        index  index.html index.htm;
10
    }
11

12
    #error_page  404              /404.html;
13

14
    # redirect server error pages to the static page /50x.html
15
    #
16
    error_page   500 502 503 504  /50x.html;
17
    location = /50x.html {
18
        root   /usr/share/nginx/html;
19
    }
20
}

启动

docker compose up -d

使用 lego 申请证书#

新建 /srv/stack/lego/docker-compose.yml

nano /srv/stack/lego/docker-compose.yml

1
services:
2
  lego:
3
    image: goacme/lego
4
    container_name: lego
5
    env_file:
6
      - ./config/.env
7
    environment:
8
      - LEGO_PATH=/data
9
    volumes:
10
      - /srv/stack/lego:/data

编写 /srv/stack/lego/config/.env

nano /srv/stack/lego/config/.env

1
ALICLOUD_ACCESS_KEY=YOUR_ACCESS_KEY_ID
2
ALICLOUD_SECRET_KEY=YOUR_ACCESS_KEY_SECRET
3

4
LEGO_EMAIL=YOUR_EMAIL

首次申请#

docker compose -f /srv/stack/lego/docker-compose.yml run --rm lego --dns alidns -a -d example.com -d *.example.com run

设置定时任务#

crontab -e

1
...
2
0 3 * * * cd /srv/stack && docker compose -f ./lego/docker-compose.yml run --rm lego --dns alidns -d example.com -d *.example.com renew && docker compose exec nginx nginx -s reload

nginx 开启 HTTPS#

生成默认证书

openssl req -x509 -nodes -days 3650   -newkey rsa:2048   -keyout /srv/stack/nginx/cert/default.key   -out /srv/stack/nginx/cert/default.crt   -subj "/CN=localhost"

修改 /srv/stack/docker-compose.yml

1
services:
2
  nginx:
3
    image: nginx:1.28-alpine
4
    container_name: nginx
5
    ports:
6
      - "80:80"
7
      - "443:443"
8
    environment:
9
      - TZ=Asia/Shanghai
10
    volumes:
11
      - /srv/stack/nginx/conf.d:/etc/nginx/conf.d:ro
12
      - /srv/stack/lego/certificates:/ssl/example.com:ro
13
      - /srv/stack/nginx/cert:/ssl/nginx/:ro
14
      - /srv/stack/nginx/log:/var/log/nginx
15
      # - /srv/stack/nginx/html:/usr/share/nginx/html
16
    restart: unless-stopped

修改 /srv/stack/nginx/conf.d/default.conf

1
server {
2
    listen 80 default_server;
3
    server_name  _;
4

5
    return 444;
6
}
7

8
server {
9
    listen 443 ssl default_server;
10
    server_name  _;
11

12
    ssl_certificate /ssl/nginx/default.crt;
13
    ssl_certificate_key /ssl/nginx/default.key;
14

15
    return 444;
16
}

创建 /srv/stack/nginx/conf.d/gitea.conf

nano /srv/stack/nginx/conf.d/gitea.conf

1
server {
2
    listen 80;
3
    server_name git.example.com;
4
    return 301 https://$host$request_uri;
5
}
6

7
server {
8
    listen 443 ssl;
9
    server_name git.example.com;
10

11
    http2 on;
12

13
    ssl_certificate /ssl/example.com/example.com.crt;
14
    ssl_certificate_key /ssl/example.com/example.com.key;
15

16
    ssl_protocols TLSv1.2 TLSv1.3;
17
    ssl_prefer_server_ciphers off;
18

19
    ssl_session_cache shared:SSL:10m;
20
    ssl_session_timeout 10m;
21

22
    location / {
23
        client_max_body_size 512M;
24
        proxy_set_header Connection $http_connection;
25
        proxy_set_header Upgrade $http_upgrade;
26
        proxy_pass http://gitea:3000;
27
        proxy_set_header Host $host;
28
        proxy_set_header X-Real-IP $remote_addr;
29
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
30
        proxy_set_header X-Forwarded-Proto https;
31
    }
32
}

重新构建 nginx 容器

1
docker compose -f /srv/stack/docker-compose.yml up -d --build nginx

部署 Gitea Rootless#

创建目录

mkdir -p /srv/stack/gitea/{config,data}
chown 1000:1000 -R /srv/stack/gitea

编辑 /srv/stack/docker-compose.yml

1
services:
2
  nginx:
3
    image: nginx:1.28-alpine
4
    container_name: nginx
5
    ports:
6
      - "80:80"
7
      - "443:443"
8
    environment:
9
      - TZ=Asia/Shanghai
10
    volumes:
11
      - /srv/stack/nginx/conf.d:/etc/nginx/conf.d:ro
12
      - /srv/stack/lego/certificates:/ssl/unknowncat2048.top:ro
13
      - /srv/stack/nginx/cert:/ssl/nginx/:ro
14
      - /srv/stack/nginx/log:/var/log/nginx
15
      # - /srv/stack/nginx/html:/usr/share/nginx/html
16
    restart: unless-stopped
17
    depends_on:
18
      - gitea
19

20
  gitea:
21
    image: gitea/gitea:1.25-rootless
22
    container_name: gitea
23
    ports:
24
      - "1234:2222"
25
    volumes:
26
      - /srv/stack/gitea/data:/var/lib/gitea
27
      - /srv/stack/gitea/config:/etc/gitea
28
      - /etc/timezone:/etc/timezone:ro
29
      - /etc/localtime:/etc/localtime:ro
30
    restart: unless-stopped

启动容器

docker compose -f /srv/stack/docker-compose.yml up -d

访问 https://git.example.com 进入 Gitea 安装页面。

安装 fail2ban#

安装

sudo apt update
sudo apt install -y fail2ban

启动

sudo systemctl enable --now fail2ban

查看

sudo fail2ban-client status

查看具体规则

sudo fail2ban-client status xxx

防止 SSH 爆破#

创建 /etc/fail2ban/jail.d/sshd.conf

sudo nano /etc/fail2ban/jail.d/sshd.conf

1
[sshd]
2
enabled  = true
3
port     = ssh
4
logpath  = %(sshd_log)s
5
backend  = systemd
6

7
maxretry = 5
8
findtime = 10m
9
bantime  = 1h

根据 nginx 日志屏蔽#

检查自带 filter

ls /etc/fail2ban/filter.d/nginx*

创建 nginx jail

sudo nano /etc/fail2ban/jail.d/nginx.conf

1
[nginx-http-auth]
2
enabled  = true
3
port     = http,https
4
logpath  = /srv/stack/nginx/log/error.log
5
backend  = auto
6

7
maxretry = 5
8
findtime = 10m
9
bantime  = 1h
10

11

12
[nginx-botsearch]
13
enabled  = true
14
port     = http,https
15
logpath  = /srv/stack/nginx/log/access.log
16
backend  = auto
17

18
maxretry = 2
19
findtime = 10m
20
bantime  = 12h

根据 Gitea 日志屏蔽#

Gitea 官方教程

重启 fail2ban#

sudo systemctl restart fail2ban

分割 nginx 日志#

使用系统自带的 logrotate

sudo nano /etc/logrotate.d/nginx-docker

1
/srv/stack/nginx/log/*.log {
2
    daily
3
    rotate 14
4
    size 100M
5
    missingok
6
    notifempty
7
    compress
8
    delaycompress
9
    sharedscripts
10
    copytruncate
11
}