小鸡的春天(vps)

三个月前,我无意间看到:

image-20240422194309500

这不冲?VPS 注册链接 可惜没有冲 $10送 $100 活动了

昨天的主人公 Ubuntu 16.04 卡冒烟,今天的主人公 openwrt 真香

预览

image-20240422205537014

要求

  1. 具有 vnc 显示的 vps(能显示屏幕,控制键盘)
  2. 有 Google 查阅文档的能力
  3. 有一定的 linux 基础
  4. 能够一键重装
  5. Debian / RanHat 皆可

安装

收集信息

  1. 确定当前系统的启动方式为legacy还是uefi,因为不同启动方式需要的固件不一样。可以使用lsblk查看,如果是uefi启动,会有/boot/efi目录或者一个分区号比较大的类似于/dev/vda128的分区,如果没有此目录,那就是legacy启动(不一定,通常是这样)

    1
    2
    3
    4
    5
    6
    root@temp-sh:~# lsblk
    NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
    vda 254:0 0 40G 0 disk
    ├─vda1 254:1 0 1M 0 part
    ├─vda2 254:2 0 191M 0 part /boot/efi
    └─vda3 254:3 0 39.8G 0 part /
  2. 记录当前系统的网络配置,网络类型分两种:

    1. VPS 在内网中,IP 地址为内网 IP,获取 IP 方式为 DHCP 或者 static
    2. VPS 直接分配公网 IP
    1
    2
    3
    4
    5
    6
    auto eth0
    iface eth0 inet static
    address 123.123.60.154/24
    gateway 123.123.60.1
    dns-nameservers 8.8.8.8 1.1.1.1
    #如果IP是DHCP获取的,可以使用netstat -rn 查看网关

下载镜像

推荐 openwrt.ai

1
2
3
4
5
6
7
8
9
# 创建内存临时文件夹
mount -t tmpfs tmpfs /tmp/
cd /tmp

# 下载镜像
wget https://dl.openwrt.ai/releases/targets/armsr/armv8/openwrt-03.30.2024-armsr-armv8-generic-ext4-combined.img.gz -O ext4.img.gz

# 解压
gzip -d ext4.img.gz

刷机

切换到浏览器上的终端(VNC),因为 SSH 80%几率会崩

image-20240422213712040

image-20240422213845885

1
dd if=/tmp/ext4.img of=/dev/vda bs=4M status=progress oflag=sync
1
2
3
4
5
6
7
# 当你看到这种文字的时候代表镜像写入完成
# 36147341 records in
# 36147341 records out

# 刷写完毕后可能强制重启不了,强制重启命令
echo 1 > /proc/sys/kernel/sysrq
echo b > /proc/sysrq-trigger

等待

大概 3 分钟左右,看一下 VNC,如果卡住了没输出,就按一下回车,看看有没有反应,如果出现这种,就算安装好了

image-20240422214528674

配置

修改网络配置

还是在 VNC 终端输入粘贴,信息需根据你的服务器自定义

1
2
3
4
5
6
7
8
9
10
11

uci set network.lan.proto='static'
uci set network.lan.ipaddr='192.168.10.100'
uci set network.lan.netmask='255.255.255.0'
uci set network.lan.gateway='192.168.10.1'
uci set network.lan.dns='8.8.8.8 114.114.114.114'
uci commit network
# 重启网络
/etc/init.d/network reload
# 关闭防火墙
/etc/init.d/firewall stop

登录

默认密码:root、paswd、password、admin、123456

扩容

1
2
3
4
5
opkg update && opkg install lsblk parted losetup resize2fs

curl "https://openwrt.org/_export/code/docs/guide-user/advanced/expand_root?codeblock=0" | sh

reboot

个性化配置

NGINX

我把默认的 uhttpd 替换成了 NGINX (openwrt.ai 默认就是 NGINX)

1
2
3
4
5
6
7
8
9
10
11
/etc/init.d/uhttpd stop
/etc/init.d/uhttpd disable
/etc/init.d/nginx enable
/etc/init.d/nginx start

uci set nginx.global.uci_enable=false
sed -i "s/option uci_enable 'true'/option uci_enable 'false'/g" /etc/config/nginx
/etc/init.d/nginx enable
/etc/init.d/nginx restart

# 听说得 mv /etc/nginx/uci.conf /etc/nginx/uci.conf.bak 不然重启就报错

/etc/nginx/nginx.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# This file is re-created when Nginx starts.
# Consider using UCI or creating files in /etc/nginx/conf.d/ for configuration.
# Parsing UCI configuration is skipped if uci set nginx.global.uci_enable=false
# For details see: https://openwrt.org/docs/guide-user/services/webserver/nginx
# UCI_CONF_VERSION=1.2

worker_processes auto;

user root;

include module.d/*.module;

events {}

http {
access_log off;
log_format openwrt
'$request_method $scheme://$host$request_uri => $status'
' (${body_bytes_sent}B in ${request_time}s) <- $http_referer';

include mime.types;
default_type application/octet-stream;
sendfile on;

client_max_body_size 128M;
large_client_header_buffers 4 8k;

gzip on;
gzip_vary on;
gzip_proxied any;

# IP 访问给个假视野 默认 OpenWrt 安装的 NGINX 不存在 /usr/share/nginx/html 需要自己去下载Linux NGINX 安装包 然后解压提取: https://nginx.org/download/nginx-1.20.1.tar.gz
server {
listen 80;
# listen [::]:80;
server_name _lan;
root /usr/share/nginx/html;
access_log /var/log/nginx/_lan.log;
}

# SNI 防御
server {
listen 443 ssl default_server;
ssl_reject_handshake on;
access_log /var/log/nginx/_lan_ssl.log;
}
# OpenWrt 配置
server {
listen 80;
# listen [::]:80;
server_name xxx.com;
root /www;
include conf.d/*.locations;
access_log /var/log/nginx/op.log;

#禁止非 Mozilla/ 请求头的访问
if ($http_user_agent !~* "Mozilla/") {
return 403;
}

#禁止非GET|HEAD|POST方式的抓取
if ($request_method !~ ^(GET|HEAD|POST|PUT)$) {
return 403;
}

#禁止Scrapy等爬虫工具的采集
if ($http_user_agent ~* (Scrapy|Curl|HttpClient)) {
return 403;
}
}
include conf.d/*.conf;
}

单臂路由

1
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

Cloudflare

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# https://www.cloudflare.com/ips replace the ips-v4 with ips-v6 if needed
# https://blog.cloudflare.com/cloudflare-now-supporting-more-ports/
for ip in $(curl -kfsSL https://www.cloudflare.com/ips-v4);
do iptables -I INPUT -p tcp -m multiport --dports 80,443,8080,8443,2052,2053,2082,2083,2086,2087,2095,2096,8880 -s $ip -j ACCEPT
echo " * Add $ip -> INPUT"
done

if [ $? -eq 0 ]; then
iptables -A INPUT -p tcp -m multiport --dports 80,443,8080,8443,2052,2053,2082,2083,2086,2087,2095,2096,8880 -j DROP
echo " * DROP 80,443,8080,8443,2052,2053,2082,2083,2086,2087,2095,2096,8880 -> INPUT"
fi

for ip in $(curl -kfsSL https://www.cloudflare.com/ips-v6);
do ip6tables -I INPUT -p tcp -m multiport --dports 80,443,8080,8443,2052,2053,2082,2083,2086,2087,2095,2096,8880 -s $ip -j ACCEPT
echo " * Add6 $ip -> INPUT"
done

if [ $? -eq 0 ]; then
ip6tables -A INPUT -p tcp -m multiport --dports 80,443,8080,8443,2052,2053,2082,2083,2086,2087,2095,2096,8880 -j DROP
echo " * DROP6 80,443,8080,8443,2052,2053,2082,2083,2086,2087,2095,2096,8880 -> INPUT"
fi

防火墙持久化

image-20240422231031451

Alist

安装

1
sh -c "$(curl -ksS https://raw.githubusercontent.com/sbwml/luci-app-alist/master/install.sh)"

监听地址修改

1
2
3
# /etc/init.d/alist
sed -n 's/listen_addr=$lan_addr/listen_addr="127.0.0.1"/p' /etc/init.d/alist
sed -i 's/listen_addr=$lan_addr/listen_addr="127.0.0.1"/g' /etc/init.d/alist
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# NGINX
server {
listen 80;
server_name alist.xxx.com;
index index.html;

#禁止非 Mozilla/ 请求头的访问
if ($http_user_agent !~* "Mozilla/") {
return 403;
}

#禁止非GET|HEAD|POST方式的抓取
if ($request_method !~ ^(GET|HEAD|POST|PUT)$) {
return 403;
}

#禁止Scrapy等爬虫工具的采集
if ($http_user_agent ~* (Scrapy|Curl|HttpClient)) {
return 403;
}

access_log /var/log/nginx/alist.log;

location / {
proxy_pass http://127.0.0.1:5244;
proxy_set_header Host $proxy_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}

致谢

XRSec has the right to modify and interpret this article. If you want to reprint or disseminate this article, you must ensure the integrity of this article, including all contents such as copyright notice. Without the permission of the author, the content of this article shall not be modified or increased or decreased arbitrarily, and it shall not be used for commercial purposes in any way