安装:
wget https://raw.githubusercontent.com/FunctionClub/Fail2ban/master/fail2ban.sh bash fail2ban.sh
卸载:
wget https://raw.githubusercontent.com/FunctionClub/Fail2ban/master/uninstall.sh bash uninstall.sh
原文:https://www.ixh.me/2016/12/fail2ban-onekey/
1, 安装shadowsocks
apt-get install python-m2crypto build-essential python-pip
pip install shadowsocks
2, 编译安装libsodium
wget https://download.libsodium.org/libsodium/releases/LATEST.tar.gz
tar zxf LATEST.tar.gz
cd libsodium*
./configure
make && make install
3, 修复动态链接库
sudo echo /usr/local/lib > /etc/ld.so.conf.d/usr_local_lib.conf
ldconfig
4, 启动shadowsocks
ssserver -p 12345 -k password -m chacha20
Apache在生成证书后也需要修改一下apache的配置文件 /usr/local/apache/conf/httpd.conf ,查找httpd-ssl将前面的#去掉。
然后再执行:
Apache 2.2如下:
cat >/usr/local/apache/conf/extra/httpd-ssl.conf<<EOF Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLCipherSuite EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5 SSLProxyCipherSuite EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5 SSLHonorCipherOrder on SSLProtocol all -SSLv2 -SSLv3 SSLProxyProtocol all -SSLv2 -SSLv3 SSLPassPhraseDialog builtin SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_scache(512000)" SSLSessionCacheTimeout 300 SSLMutex "file:/usr/local/apache/logs/ssl_mutex" SSLStrictSNIVHostCheck on NameVirtualHost *:443 EOF
Apache 2.4如下:
cat >/usr/local/apache/conf/extra/httpd-ssl.conf<<EOF Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLCipherSuite EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5 SSLProxyCipherSuite EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5 SSLHonorCipherOrder on SSLProtocol all -SSLv2 -SSLv3 SSLProxyProtocol all -SSLv2 -SSLv3 SSLPassPhraseDialog builtin SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_scache(512000)" SSLSessionCacheTimeout 300 Mutex sysvsem default SSLStrictSNIVHostCheck on EOF
并在对应apache虚拟主机配置文件的最后下面添加上SSL部分的配置文件:
<VirtualHost *:443> DocumentRoot /home/wwwroot/www.xiaokyun.com #网站目录 ServerName www.xiaokyun.com:443 #域名 ServerAdmin admin@xiaokyun.com #邮箱 ErrorLog "/home/wwwlogs/www.xiaokyun.com-error_log" #错误日志 CustomLog "/home/wwwlogs/www.xiaokyun.com-access_log" common #访问日志 SSLEngine on SSLCertificateFile /etc/letsencrypt/live/www.xiaokyun.com/fullchain.pem #改一下里面的域名就行 SSLCertificateKeyFile /etc/letsencrypt/live/www.xiaokyun.com/privkey.pem #改一下里面的域名就行 <Directory "/home/wwwroot/www.xiaokyun.com"> #网站目录 SetOutputFilter DEFLATE Options FollowSymLinks AllowOverride All Order allow,deny Allow from all DirectoryIndex index.html index.php </Directory> </VirtualHost>
需将上述配置根据自己的实际情况修改后,添加到虚拟主机配置文件最后面。注意要重启apache使其实现。
执行:
/etc/init.d/httpd restart
重启Apache使其生效。
完整配置如下:
server
{
listen 443 ssl; //如果需要spdy也可以加上,lnmp1.2及其后版本都默认支持spdy,lnmp1.3 nginx 1.9.5以上版本默认支持http2
server_name www.xiaokyun.com; //这里是你的域名
index index.html index.htm index.php default.html default.htm default.php;
root /home/wwwroot/www.xiaokyun.com; //网站目录
ssl_certificate /etc/letsencrypt/live/www.xiaokyun.com/fullchain.pem; //前面生成的证书,改一下里面的域名就行,不建议更换路径
ssl_certificate_key /etc/letsencrypt/live/www.xiaokyun.com/privkey.pem; //前面生成的密钥,改一下里面的域名就行,不建议更换路径
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;include wordpress.conf; //这个是伪静态根据自己的需求改成其他或删除
#error_page 404 /404.html;
location ~ [^/].php(/|$)
{
# comment try_files $uri =404; to enable pathinfo
try_files $uri =404;
fastcgi_pass unix:/tmp/php-cgi.sock;
fastcgi_index index.php;
include fastcgi.conf; //lnmp 1.0及之前版本替换为include fcgi.conf;
#include pathinfo.conf;
}location ~ .*.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}location ~ .*.(js|css)?$
{
expires 12h;
}access_log off;
}
需将上述配置根据自己的实际情况修改后,添加到虚拟主机配置文件最后面。
添加完需要执行:
/etc/init.d/nginx reload
重新载入配置使其生效。
如果需要HSTS,可以加上
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
1、Let’s Encrypt官网:
1、官方网站:https://letsencrypt.org/
2、项目主页:https://github.com/letsencrypt/letsencrypt
2、安装Let’s Encrypt脚本依赖环境:(这一部分可以跳过,因为官方提供的Let’s Encrypt脚本会自动检测并安装)
# Debian
apt-get install git# CentOS 6
yum install centos-release-SCL && yum update
yum install python27
scl enable python27 bash
yum install python27-python-devel python27-python-setuptools python27-python-tools python27-python-virtualenv
yum install augeas-libs dialog gcc libffi-devel openssl-devel python-devel
yum install python-argparse# CentOS 7
yum install -y git python27
yum install -y augeas-libs dialog gcc libffi-devel openssl-devel python-devel
yum install python-argparse
3、查看自己的VPS主机到底是安装了哪个操作系统版本,可以执行命令:
cat /etc/issue 或者 cat /etc/redhat-release
4、获取Let’s Encrypt免费SSL证书很简单,你只需要执行以下命令,就会自动在你的VPS上生成SSL证书和私钥。
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto
执行上述命令后,会弹出对话框,同意用户协议。 接着会提示让你关闭Nginx或者Apache。 Let’s Encrypt需要用到80和443端口,所以你需要关闭那些占用这两个端口的应用。 Let’s Encrypt免费SSL证书获取成功了!