记令人蛋碎的修服务器经历

先说说 Vultr

充5刀送25刀,最适合我这种穷苦人了,于是义无反顾的入坑了
讲道理 Vultr 还是不错的,很多自定义功能,譬如逆向 DNS 解析,自定义ISO引导等等,可以说是相当良心了
但是 Vultr 有个蜜汁问题我一直没想通

CPU满载一段时间后ssh会挂,重启也不能解决问题

第一次是暑假时发现的,当时没啥数据,也没咋在意
然鹅前天一个脚本跑挂了,还是 SS 挂了才发现,CPU 满载一整天,负载目测可能有十几,console 都登不上,直接重启

重启了登上 console 一看,ssh服务没开,于是尝试启动了一下,就开了??
查了下端口,确实22端口也被sshd监听了
但是 ssh 登陆不上
尝试用 telnet 也拒绝响应
有毒吧?

然后就开始各种尝试,难奈 Vultr 的 console 太蛋疼了,查日志也没查出什么门道
忍痛重做了系统

考虑到以后 docker 用的可能很多,于是就使用自定义的 ISO 手动给硬盘分了区,做好了LVM,装好以后,给 docker 配置上了 direct-lvm ,中途还出了点小岔子,不再赘述了

总结:再不打快照我就是狗

然后是 lnmp 环境

因为不想用 lnmp 一键脚本了,想手配一下 lnmp 环境
毫无疑问肯定是 Docker 了

先申个泛域名证书
用 certbot 感觉太麻烦了,于是就用了 acme.sh,域名是 Godday 买的,申个 API ,直接跑就行了
(其实 API 蜜汁错误好多次

配完证书,开始配 lnmp 环境
手动 link 太麻烦,干脆写一个 docker-compose 算了

version: "3"

services:

    mysql:
        image: mysql:5.6
        container_name: wp_mysql
        restart: always
        environment:
            - MYSQL_ROOT_PASSWORD=这个怎么可能给你看呢

    php-fpm:
        image: bitnami/php-fpm
        container_name: wp_php
        restart: always
        volumes:
            - $PWD/html/:/usr/local/openresty/nginx/html
        links:
            - mysql

    nginx:
        image: evi0s/waf-openresty-php
        container_name: wp_nginx
        restart: always
        links:
            - php-fpm
        volumes:
            - $PWD/html/:/usr/local/openresty/nginx/html
            - $PWD/ssl/:/usr/local/openresty/nginx/ssl:ro
        ports:
            - "0.0.0.0:80:80"
            - "0.0.0.0:443:443"

(似乎 MySQL 数据映射还没做,不慌

Nginx 是自己写的,用 Openresty 外带了 WAF,可以访问 phpmyadmin 试试效果,Github 地址 evi0s/Openresty-WAF

Nginx 的 Dockerfile

# Dockerfile to build Openresety Installed Containers with WAF
FROM centos:7.5.1804
MAINTAINER evi0s <[email protected]>

# Install dependencies
RUN yum update -y && \
    yum install -y readline-devel pcre-devel openssl-devel perl make gcc gcc-c++ git wget

# Install Openssl
RUN cd /usr/local/src/ && \
    wget --no-check-certificate https://www.openssl.org/source/openssl-1.0.2j.tar.gz && \
    tar zxvf openssl-1.0.2j.tar.gz && \
    cd openssl-1.0.2j && ./config shared zlib && \
    make && make install && \
    ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl && \
    ln -s /usr/local/ssl/include/openssl /usr/include/openssl && \
    echo "/usr/local/ssl/lib" >> /etc/ld.so.conf

# Install Openresety
ADD https://openresty.org/download/openresty-1.13.6.2.tar.gz /usr/local/src

RUN cd /usr/local/src/ && \
    tar zxvf openresty-1.13.6.2.tar.gz

RUN cd /usr/local/src/openresty-1.13.6.2 && \
    sed -i '39d' /usr/local/src/openresty-1.13.6.2/bundle/nginx-1.13.6/auto/lib/openssl/conf && \
    sed -i '39d' /usr/local/src/openresty-1.13.6.2/bundle/nginx-1.13.6/auto/lib/openssl/conf && \
    sed -i '39d' /usr/local/src/openresty-1.13.6.2/bundle/nginx-1.13.6/auto/lib/openssl/conf && \
    sed -i '39d' /usr/local/src/openresty-1.13.6.2/bundle/nginx-1.13.6/auto/lib/openssl/conf && \
    sed -i '39a\\t    CORE_INCS="$CORE_INCS $OPENSSL/include"' /usr/local/src/openresty-1.13.6.2/bundle/nginx-1.13.6/auto/lib/openssl/conf && \
    sed -i '40a\\t    CORE_DEPS="$CORE_DEPS $OPENSSL/include/openssl/ssl.h"' /usr/local/src/openresty-1.13.6.2/bundle/nginx-1.13.6/auto/lib/openssl/conf && \
    sed -i '41a\\t    CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libssl.a"' /usr/local/src/openresty-1.13.6.2/bundle/nginx-1.13.6/auto/lib/openssl/conf && \
    sed -i '42a\\t    CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libcrypto.a"' /usr/local/src/openresty-1.13.6.2/bundle/nginx-1.13.6/auto/lib/openssl/conf && \
    ./configure --prefix=/usr/local/openresty-1.13.6.2 \
    --with-luajit --with-http_stub_status_module \
    --with-pcre --with-pcre-jit --with-openssl=/usr/local/ssl \
    --with-http_v2_module --with-http_ssl_module \
    --with-http_realip_module --with-http_gzip_static_module && \
    gmake && gmake install

RUN ln -s /usr/local/openresty-1.13.6.2 /usr/local/openresty

# Install WAF
RUN git clone https://github.com/unixhot/waf.git

RUN cp -a ./waf/waf /usr/local/openresty/nginx/conf/ && \
    rm -rf /usr/local/openresty/nginx/conf/waf/config.lua && \
    mkdir /usr/local/openresty/nginx/ssl && \
    mkdir /usr/local/openresty/waf_logs

COPY nginx.conf /usr/local/openresty/nginx/conf/nginx.conf

COPY config.lua /usr/local/openresty/nginx/conf/waf/config.lua

# Add user nginx
RUN useradd -s /sbin/nologin nginx -u 8000

# Chown dir
RUN chown -R nginx.nginx /usr/local/openresty/

# Expose ports
EXPOSE 80
EXPOSE 443

# Start Openresty
CMD /usr/local/openresty/nginx/sbin/nginx -g "daemon off;"

(sed 懒得去调了嘤嘤嘤

一开始 Nginx 容器无限挂,看了下是证书权限不够

奇了怪了,证书 0644 咋就不够了

行吧,可能用户有点问题?因为容器里没有用 root 用户运行 Nginx,于是设置了 uid 和 gid 并设置好了用户权限和组权限

还是不行

行吧,给个 0777 试试吧

还是不行

我佛了,直接在 Dockerfile 里面拷贝进去吧

还是不行

我操,这是什么情况

拷进去再给个 0777 吧

还是权限不够

一筹莫展,突然想到了 SELinux
直接关了 SELinux,重启,最低权限加映射一切正常…..

总结:再开 SELinux 我就是狗

行吧,继续配 Nginx 容器

因为 Nginx 当时是配给 Node.js 用的,然后随便写了个 Nginx 配置,配 php-fpm 直接炸了
php 官方 fpm 镜像有坑,玩了两天怎么都没办法解析,顺便 mysqli 扩展也没有
直接换第三方镜像算了,选了个 bitnami/php-fpm 的镜像,直接好了……

行吧,差不多就这么多

总结一下,这个 WordPress 使用 docker-compose 一键部署访问,涉及到的软件/技术有
* Docker docker-compose
* Openresty with lua
* WAF Open source unixhot/waf.git
* PHP-FPM
* MySQL

令人绝望的nginx.conf贴上,似乎用到现在没有问题

user  nginx nginx;

worker_processes auto;

error_log  /usr/local/openresty/nginx/logs/nginx_error.log  error;

pid        /usr/local/openresty/nginx/nginx.pid;

worker_rlimit_nofile 65535;

events
{
    use epoll;
    worker_connections 65535;
    multi_accept on;
}

http
{
    lua_shared_dict limit 50m;
    lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
    init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";
    access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";

    include       mime.types;
    default_type  application/octet-stream;

    server_names_hash_bucket_size 128;
    client_header_buffer_size 32k;
    large_client_header_buffers 4 32k;
    client_max_body_size 50m;

    sendfile   on;
    tcp_nopush on;

    keepalive_timeout 60;

    tcp_nodelay on;

    fastcgi_connect_timeout 300;
    fastcgi_send_timeout 300;
    fastcgi_read_timeout 300;
    fastcgi_buffer_size 64k;
    fastcgi_buffers 4 64k;
    fastcgi_busy_buffers_size 128k;
    fastcgi_temp_file_write_size 256k;

    gzip on;
    gzip_min_length  1k;
    gzip_buffers     4 16k;
    gzip_http_version 1.1;
    gzip_comp_level 2;
    gzip_types     text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
    gzip_vary on;
    gzip_proxied   expired no-cache no-store private auth;
    gzip_disable   "MSIE [1-6]\.";

    server_tokens off;
    access_log off;

    server
    {
        listen 80;
        server_name evi0s.com;
        rewrite ^(.*)$  https://$host$1 permanent;
    }

    server
    {
        listen 443 ssl http2;
        server_name evi0s.com;
        index index.html index.htm index.php;
        root /usr/local/openresty/nginx/html/;

        ssl on;
        ssl_certificate /usr/local/openresty/nginx/ssl/fullchain.pem;
        ssl_certificate_key /usr/local/openresty/nginx/ssl/privkey.pem;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
        ssl_session_cache builtin:1000 shared:SSL:10m;
        # openssl dhparam -out /usr/local/openresty/nginx/conf/ssl/dhparam.pem 2048
        ssl_dhparam /usr/local/openresty/nginx/ssl/dhparam.pem;

        if ($http_user_agent ~* "Baiduspider-render|qihoobot|Baiduspider|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot")
        {
            return 403;
        }

        location / {
            try_files $uri $uri/ /index.php?$args;
        }

        location ~ [^/]\.php(/|$) {
            try_files $uri =404;
            fastcgi_pass   wp_php:9000;
            fastcgi_index index.php;
            include fastcgi.conf;
        }

        location /nginx_status
        {
            stub_status on;
            access_log   off;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        access_log  /usr/local/openresty/nginx/access.log;
    }
}

发表评论

发表评论

*

沙发空缺中,还不快抢~