vsftpd ubuntu下实践

安装:

apt-get install vsftpd

配置:

1、useradd -d /var/www test //增加用户test,并制定test用户的主目录为/var/www
2、passwd test //为test设置密码
3、更改用户相应的权限设置:

usermod -s /sbin/nologin test //限定用户test不能telnet,只能ftp
usermod -s /sbin/bash test //用户test恢复正常
usermod -d /var/www/website1 test //更改用户test的主目录为website1

4、限制用户只能访问/home/test,不能访问其他路径
chroot_list_enable=YES //限制访问自身目录
# (default follows)
chroot_list_file=/etc/vsftpd/vsftpd.chroot_list
编辑 vsftpd.chroot_list文件,将受限制的用户添加进去,每个用户名一行

对于chroot_local_user与chroot_list_enable的组合效果,可以参考下表:

chroot_local_user=YES chroot_local_user=NO
chroot_list_enable=YES 1.所有用户都被限制在其主目录下 2.使用chroot_list_file指定的用户列表,这些用户作为“例外”,不受限制 1.所有用户都不被限制其主目录下 2.使用chroot_list_file指定的用户列表,这些用户作为“例外”,受到限制
chroot_list_enable=NO 1.所有用户都被限制在其主目录下 2.不使用chroot_list_file指定的用户列表,没有任何“例外”用户 1.所有用户都不被限制其主目录下 2.不使用chroot_list_file指定的用户列表,没有任何“例外”用户

5、重启vsFTPd服务器: service vsftpd restart

错误:

vsftpd 530 Login incorrect 解决
解决:pam_service_name=vsftpd // ubuntu是pam_service_name=ftp

550 Permission denied.
解决:1). write_enable=YES
2). 设置目录权限 chmod -R 775 /var/www/website1

vsftpd: refusing to run with writable root inside chroot()
解决:vi /etc/vsftpd.conf  增加一行: allow_writeable_chroot=YES

Ubuntu 配置PPTP Server

1,安装pptpd

sudo apt-get install pptpd

2,配置虚拟ip,编辑 /etc/pptpd.conf

localip 192.168.0.1
remoteip 192.168.0.200-210,192.168.0.245

3,设置dns,编辑 /etc/ppp/pptpd-options

ms-dns 8.8.8.8
ms-dns 8.8.4.4

4,添加用户,编辑 /etc/ppp/chap-secrets

#帐号    服务器    密码    IP地址
user    pptpd    123456  *

5,重启pptpd

# service pptpd restart

6,配置NAT流量转发,编辑/etc/sysctl.conf

net.ipv4.ip_forward=1 //注释去掉

7,使得配置立即生效

sudo sysctl –p

8,向iptables添加NAT规则

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
iptables-save > /etc/iptables-rules-for-me

9,新建 /etc/network/if-pre-up.d/iptables,添加内容

#!/bin/sh
iptables-restore < /etc/iptables-rules-for-me

Deploy production server on Ubuntu 14.04

Overview

  1. Setup deploy user
  2. Install Ruby
  3. Install MySQL
  4. Install Redis
  5. Install RabbitMQ
  6. Install Bitcoind
  7. Install Nginx with Passenger
  8. Install JavaScript Runtime
  9. Install ImageMagick
  10. Configure Peatio

1. Setup deploy user

Create (if it doesn’t exist) deploy user, and assign it to the sudo group:

sudo adduser deploy
sudo usermod -a -G sudo deploy

Re-login as deploy user

2. Install Ruby

Make sure your system is up-to-date.

sudo apt-get update
sudo apt-get upgrade

Installing rbenv using a Installer

sudo apt-get install git-core curl zlib1g-dev build-essential \
                     libssl-dev libreadline-dev libyaml-dev libsqlite3-dev sqlite3 \
                     libxml2-dev libxslt1-dev libcurl4-openssl-dev \
                     python-software-properties libffi-dev

cd
git clone git://github.com/sstephenson/rbenv.git .rbenv
echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bashrc
echo 'eval "$(rbenv init -)"' >> ~/.bashrc
exec $SHELL

git clone git://github.com/sstephenson/ruby-build.git ~/.rbenv/plugins/ruby-build
echo 'export PATH="$HOME/.rbenv/plugins/ruby-build/bin:$PATH"' >> ~/.bashrc
exec $SHELL

Install Ruby through rbenv:

rbenv install 2.2.1
rbenv global 2.2.1

Install bundler

echo "gem: --no-ri --no-rdoc" > ~/.gemrc
gem install bundler
rbenv rehash

3. Install MySQL

sudo apt-get install mysql-server  mysql-client  libmysqlclient-dev

4. Install Redis

Be sure to install the latest stable Redis, as the package in the distro may be a bit old:

sudo apt-add-repository -y ppa:rwky/redis
sudo apt-get update
sudo apt-get install redis-server

5. Install RabbitMQ

Please follow instructions here: https://www.rabbitmq.com/install-debian.html

curl http://www.rabbitmq.com/rabbitmq-signing-key-public.asc | sudo apt-key add -
sudo apt-add-repository 'deb http://www.rabbitmq.com/debian/ testing main'
sudo apt-get update
sudo apt-get install rabbitmq-server

sudo rabbitmq-plugins enable rabbitmq_management
sudo service rabbitmq-server restart
wget http://localhost:15672/cli/rabbitmqadmin
chmod +x rabbitmqadmin
sudo mv rabbitmqadmin /usr/local/sbin

6. Install Bitcoind

sudo add-apt-repository ppa:bitcoin/bitcoin
sudo apt-get update
sudo apt-get install bitcoind

Configure

mkdir -p ~/.bitcoin
touch ~/.bitcoin/bitcoin.conf
vim ~/.bitcoin/bitcoin.conf

Insert the following lines into the bitcoin.conf, and replce with your username and password.

server=1
daemon=1

# If run on the test network instead of the real bitcoin network
testnet=1

# You must set rpcuser and rpcpassword to secure the JSON-RPC api
# Please make rpcpassword to something secure, `5gKAgrJv8CQr2CGUhjVbBFLSj29HnE6YGXvfykHJzS3k` for example.
# Listen for JSON-RPC connections on <port> (default: 8332 or testnet: 18332)
rpcuser=INVENT_A_UNIQUE_USERNAME
rpcpassword=INVENT_A_UNIQUE_PASSWORD
rpcport=18332

# Notify when receiving coins
walletnotify=/usr/local/sbin/rabbitmqadmin publish routing_key=peatio.deposit.coin payload='{"txid":"%s", "channel_key":"satoshi"}'

Start bitcoin

bitcoind

7. Installing Nginx & Passenger

Install Phusion’s PGP key to verify packages

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 561F9B9CAC40B2F7

Add HTTPS support to APT

sudo apt-get install apt-transport-https ca-certificates

Add the passenger repository. Note that this only works for Ubuntu 14.04. For other versions of Ubuntu, you have to add the appropriate repository according to Section 2.3.1 of this link.

sudo add-apt-repository 'deb https://oss-binaries.phusionpassenger.com/apt/passenger trusty main'
sudo apt-get update

Install nginx and passenger

sudo apt-get install nginx-extras passenger

Next, we need to update the Nginx configuration to point Passenger to the version of Ruby that we’re using. You’ll want to open up /etc/nginx/nginx.conf in your favorite editor,

sudo vim /etc/nginx/nginx.conf

find the following lines, and uncomment them:

passenger_root /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini;
passenger_ruby /usr/bin/ruby;

update the second line to read:

passenger_ruby /home/deploy/.rbenv/shims/ruby;

8. Install JavaScript Runtime

A JavaScript Runtime is needed for Asset Pipeline to work. Any runtime will do but Node.js is recommended.

curl -sL https://deb.nodesource.com/setup | sudo bash -
sudo apt-get install nodejs

9. Install ImageMagick

sudo apt-get -y install imagemagick gsfonts

10. Setup production environment variable

echo "export RAILS_ENV=production" >> ~/.bashrc
source ~/.bashrc
Clone the Source
mkdir -p ~/peatio
git clone git://github.com/peatio/peatio.git ~/peatio/current
cd peatio/current

# Install dependency gems
bundle install --without development test --path vendor/bundle
Configure Peatio

Prepare configure files

bin/init_config

Setup Pusher

  • Peatio depends on Pusher. A development key/secret pair for development/test is provided in config/application.yml(uncomment to use). PLEASE USE IT IN DEVELOPMENT/TEST ENVIRONMENT ONLY!

More details to visit pusher official website

# uncomment Pusher related settings
vim config/application.yml

Setup bitcoind rpc endpoint

# replace username:password and port with the one you set in
# username and password should only contain letters and numbers, do not use email as username
# bitcoin.conf in previous step
vim config/currencies.yml

Config database settings

vim config/database.yml

# Initialize the database and load the seed data
bundle exec rake db:setup

Precompile assets

bundle exec rake assets:precompile

Run Daemons

# start all daemons
bundle exec rake daemons:start

# or start daemon one by one
bundle exec rake daemon:matching:start
...

# Daemon trade_executor can be run concurrently, e.g. below
# line will start four trade executors, each with its own logfile.
# Default to 1.
TRADE_EXECUTOR=4 rake daemon:trade_executor:start

# You can do the same when you start all daemons:
TRADE_EXECUTOR=4 rake daemons:start

When daemons don’t work, check log/#{daemon name}.rb.output or log/peatio:amqp:#{daemon name}.output for more information (suffix is ‘.output’, not ‘.log’).

SSL Certificate setting

For security reason, you must setup SSL Certificate for production environment, if your SSL Certificated is been configured, please change the following line at config/environments/production.rb

config.force_ssl = true

Passenger:

sudo rm /etc/nginx/sites-enabled/default
sudo ln -s /home/deploy/peatio/current/config/nginx.conf /etc/nginx/conf.d/peatio.conf
sudo service nginx restart

Liability Proof

# Add this rake task to your crontab so it runs regularly
RAILS_ENV=production rake solvency:liability_proof

负载均衡slb下后端服务器无法访问负载IP的问题

在阿里云SLB的一台后端服务器,今天部署了脚本,访问一直是 curl: (7) couldn’t connect to host

看了安全策略和防火墙都没问题。诡异的要死。后来问了阿里客服才知道。监听时默认的是四层协议,是不支持后端ECS服务器做为客户端访问SLB的,要想访问,只能将监听修改为七层https或者http

这里要注意下,修改是看不到这个选项的。需要删除原监听端口,再新添加前端协议时选择 http 或者 https。

 

TrustAsia DV SSL CA 在curl下失败的问题

阿里云的CA免费证书到期了,却无法购买。阿里云真是坑人。去新浪云申请了TrustAsia的免费证书,下发访问没啥问题。但是一天后发现 curl访问出现如下错误:

SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

郁闷,然后去腾讯云又重新申请了,也是TrustAsia的免费DV,下发后验证通过,curl访问也通过了。真是无语了。。。

SSLEngine on

# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /home/cert/2018/2_yourdomain.cn.crt
SSLCertificateKeyFile /home/cert/2018/3_yourdomain.cn.key

# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
SSLCertificateChainFile /home/cert/2018/1_root_bundle.crt