|
|
本帖最后由 哈小福 于 2018-12-30 11:34 编辑
折腾10多天 终于完美了
本人算是入门级的老手 发个教程 让新人少走弯路
采用armdian 5.60 0928版本+修改版的内核+修改的dtb文件都出自论坛
部分配置代码出自论坛
感谢论坛各路大神的无私奉献
本教程使用vi编辑器 vi不熟悉的坛友可以用nano
0、安装armbian到n1的emmc 教程忽略
1、替换内核
内核出处 https://www.right.com.cn/forum/thread-347129-1-1.html
链接:https://pan.baidu.com/s/1rxe5O6MclGoFBcaJbfXZeA
提取码:oup4
tar -zxvf /root/4.18_kernel_mod.tar.gz -C /
reboot
2、替换默认更新源
vi /etc/apt/sources.list
将源内容替换为
deb https://mirrors.ustc.edu.cn/debian stretch main contrib non-free
#deb-src http://httpredir.debian.org/debian stretch main contrib non-free
deb https://mirrors.ustc.edu.cn/debian stretch-updates main contrib non-free
#deb-src http://httpredir.debian.org/debian stretch-updates main contrib non-free
deb https://mirrors.ustc.edu.cn/debian stretch-backports main contrib non-free
#deb-src http://httpredir.debian.org/debian stretch-backports main contrib non-free
deb https://mirrors.ustc.edu.cn/debian-security/ stretch/updates main contrib non-free
#deb-src http://security.debian.org/ stretch/updates main contrib non-free
升级已安装的软件
apt update
apt upgrade
3、关系一些服务
systemctl stop serial-getty@ttyS0.service
systemctl disable serial-getty@ttyS0.service
systemctl stop NetworkManager.service
systemctl disable NetworkManager.service
4、系统设置
设置系统时区、主机名、IP地址等系统配置
armbian-config
5、新建本地用户
以该本地用户权限运行nginx、php、samba、ftp
后期安装可道云时使用该用户权限,可以做到web、samba、ftp上传下载文件权限不冲突
新建www用户
useradd www -s /usr/sbin/nologin
设置www的密码
passwd www
6、安装web环境
采用apache,nginx虚拟目录就是个坑,后期的aria2和phpmyadmin 我使用的是虚拟目录
apt-get install -y apache
apt-get install -y php php-cgi php-cli php-mcrypt php-calendar php-ctype php-curl php-dom php-exif php-fileinfo php-ftp php-gd php-gettext php-gmp php-iconv php-imap php-intl php-json php-ldap php-mbstring php-mysqli php-mysqlnd php-opcache php-pdo-mysql php-pdo-pgsql php-pdo-sqlite php-pdo php-pgsql php-phar php-shmop php-simplexml php-soap php-sockets php-sqlite3 php-sysvmsg php-sysvsem php-sysvshm php-tokenizer php-xml php-xmlreader php-xmlwriter php-zip php-pecl-http
apt-get install -y libapache2-mod-php
apt-get install -y mariadb-server
7、修改apache2配置
修改www执行
vi /etc/apache2/envvars
export APACHE_RUN_USER=www
export APACHE_RUN_GROUP=www
8、安装可道云
vi /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /www/wwwroot/kedaoyun
<Directory "/www/wwwroot/kedaoyun">
Options FollowSymlinks
AllowOverride None
Require all granted
</Directory>
php_admin_value open_basedir "/www/wwwroot/kedaoyun/:/www/wwwroot/webtools:/tmp:/proc/"
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
Alias /tools/ "/www/wwwroot/webtools/"
<Directory "/www/wwwroot/webtools">
Options FollowSymlinks
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
mkdir -p /www/wwwroot/kedaoyun
cd /www/wwwroot/kedaoyun
wget wget http://static.kodcloud.com/update/download/kodexplorer4.37.zip (注意版本,链接到可道云官网提取)
unzip kodexplorer4.37.zip
rm kodexplorer4.37.zip
chown www.www -R /www/wwwroot/kedaoyun
chmod 777 -R /www/wwwroot/kedaoyun
页面访问可道云并设置管理员密码及可道云配置,建议新建普通用户使用
Alias /tools/ "/www/wwwroot/webtools/"是虚拟目录用于存放aria2和phpmyadmin
9、安装aria2
apt-get install -y aria2
mkdir /etc/aria2
touch /etc/aria2/aria2.session
vi /etc/aria2/aria2.conf
## '#'开头为注释内容, 选项都有相应的注释说明, 根据需要修改 ##
## 被注释的选项填写的是默认值, 建议在需要修改时再取消注释 ##
## 进度保存相关 ##
# 从会话文件中读取下载任务
#input-file=aria2.session
# 在Aria2退出时保存`错误/未完成`的下载任务到会话文件
#save-session=aria2.session
# 定时保存会话, 0为退出时才保存, 需1.16.1以上版本, 默认:0
#save-session-interval=60
## 文件保存相关 ##
# 文件的保存路径, 默认: 当前启动位置
dir=/www/wwwroot/kedaoyun/data/User/你的可道云普通用户/home/DownLoads
# 启用磁盘缓存, 0为禁用缓存, 需1.16以上版本, 默认:16M
#disk-cache=32M
# 文件预分配方式, 能有效降低磁盘碎片, 默认:prealloc
# 预分配所需时间: none < falloc ? trunc < prealloc
# falloc和trunc则需要文件系统和内核支持
# NTFS建议使用falloc, EXT3/4建议trunc, MAC 下需要注释此项
file-allocation=trunc
# 断点续传
continue=true
## 下载连接相关 ##
# 最大同时下载任务数, 运行时可修改, 默认:5
#max-concurrent-downloads=5
# 同一服务器连接数, 添加时可指定, 默认:1
max-connection-per-server=5
# 最小文件分片大小, 添加时可指定, 取值范围1M -1024M, 默认:20M
# 假定size=10M, 文件为20MiB 则使用两个来源下载; 文件为15MiB 则使用一个来源下载
min-split-size=10M
# 单个任务最大线程数, 添加时可指定, 默认:5
#split=5
# 整体下载速度限制, 运行时可修改, 默认:0
#max-overall-download-limit=0
# 单个任务下载速度限制, 默认:0
#max-download-limit=0
# 整体上传速度限制, 运行时可修改, 默认:0
#max-overall-upload-limit=0
# 单个任务上传速度限制, 默认:0
max-upload-limit=50
# 禁用IPv6, 默认:false
#disable-ipv6=true
# 连接超时时间, 默认:60
#timeout=60
# 最大重试次数, 设置为0表示不限制重试次数, 默认:5
#max-tries=5
# 设置重试等待的秒数, 默认:0
#retry-wait=0
## RPC相关设置 ##
# 启用RPC, 默认:false
enable-rpc=true
# 允许所有来源, 默认:false
rpc-allow-origin-all=true
# 允许非外部访问, 默认:false
rpc-listen-all=true
# 事件轮询方式, 取值:[epoll, kqueue, port, poll, select], 不同系统默认值不同
#event-poll=select
# RPC监听端口, 端口被占用时可以修改, 默认:6800
#rpc-listen-port=6800
# 设置的RPC授权令牌, v1.18.4新增功能, 取代 --rpc-user 和 --rpc-passwd 选项
rpc-secret=你的令牌
# 设置的RPC访问用户名, 此选项新版已废弃, 建议改用 --rpc-secret 选项
#rpc-user=<USER>
# 设置的RPC访问密码, 此选项新版已废弃, 建议改用 --rpc-secret 选项
#rpc-passwd=<PASSWD>
# 是否启用 RPC 服务的 SSL/TLS 加密,
# 启用加密后 RPC 服务需要使用 https 或者 wss 协议连接
#rpc-secure=true
# 在 RPC 服务中启用 SSL/TLS 加密时的证书文件,
# 使用 PEM 格式时,您必须通过 --rpc-private-key 指定私钥
#rpc-certificate=/path/to/certificate.pem
# 在 RPC 服务中启用 SSL/TLS 加密时的私钥文件
#rpc-private-key=/path/to/certificate.key
## BT/PT下载相关 ##
# 当下载的是一个种子(以.torrent结尾)时, 自动开始BT任务, 默认:true
#follow-torrent=true
# BT监听端口, 当端口被屏蔽时使用, 默认:6881-6999
listen-port=51413
# 单个种子最大连接数, 默认:55
#bt-max-peers=55
# 打开DHT功能, PT需要禁用, 默认:true
enable-dht=true
# 打开IPv6 DHT功能, PT需要禁用
#enable-dht6=false
# DHT网络监听端口, 默认:6881-6999
#dht-listen-port=6881-6999
# 本地节点查找, PT需要禁用, 默认:false
#bt-enable-lpd=false
# 种子交换, PT需要禁用, 默认:true
enable-peer-exchange=true
# 每个种子限速, 对少种的PT很有用, 默认:50K
#bt-request-peer-speed-limit=50K
# 客户端伪装, PT需要
peer-id-prefix=-TR2770-
user-agent=Transmission/2.77
# 当种子的分享率达到这个数时, 自动停止做种, 0为一直做种, 默认:1.0
seed-ratio=1.0
# 强制保存会话, 即使任务已经完成, 默认:false
# 较新的版本开启后会在任务完成后依然保留.aria2文件
#force-save=false
# BT校验相关, 默认:true
bt-hash-check-seed=true
# 继续之前的BT任务时, 无需再次校验, 默认:false
bt-seed-unverified=true
# 保存磁力链接元数据为种子文件(.torrent文件), 默认:false
bt-save-metadata=true
bt-tracker=udp:udp://62.138.0.158:6969/announce,udp://51.15.4.13:1337/announce,udp://185.225.17.100:1337/announce,udp://151.80.120.113:2710/announce,udp://208.83.20.20:6969/announce,udp://128.1.203.23:8080/announce,udp://184.105.151.164:6969/announce,udp://51.15.40.114:80/announce,udp://5.2.79.22:6969/announce,udp://176.31.106.35:80/announce,udp://95.211.168.204:2710/announce,udp://89.234.156.205:451/announce,udp://51.38.184.185:6969/announce,udp://37.235.174.46:2710/announce,udp://188.246.227.212:80/announce,udp://5.2.79.219:1337/announce,udp://185.83.215.123:6969/announce,udp://8.9.31.140:2000/announce,udp://51.15.76.199:6969/announce,udp://212.47.227.58:6969/announce,udp://tracker.coppersurfer.tk:6969/announce,udp://tracker.opentrackr.org:1337/announce,udp://tracker.internetwarriors.net:1337/announce,udp://9.rarbg.to:2710/announce,udp://exodus.desync.com:6969/announce,udp://tracker1.itzmx.com:8080/announce,udp://explodie.org:6969/announce,udp://ipv4.tracker.harry.lu:80/announce,udp://denis.stalker.upeer.me:6969/announce,udp://thetracker.org:80/announce,udp://bt.xxx-tracker.com:2710/announce,udp://tracker.torrent.eu.org:451/announce,udp://tracker.port443.xyz:6969/announce,udp://retracker.lanta-net.ru:2710/announce,udp://open.stealth.si:80/announce,udp://open.demonii.si:1337/announce,udp://tracker.uw0.xyz:6969/announce,udp://tracker.iamhansen.xyz:2000/announce,udp://tracker.vanitycore.co:6969/announce,udp://zephir.monocul.us:6969/announce,http://tracker.internetwarriors.net:1337/announce,http://tracker1.itzmx.com:8080/announce,http://explodie.org:6969/announce,http://tracker.port443.xyz:6969/announce,http://retracker.telecom.by:80/announce,http://opentracker.xyz:80/announce,http://open.trackerlist.xyz:80/announce,http://t.nyaatracker.com:80/announce,http://open.acgnxtracker.com:80/announce,http://tracker3.itzmx.com:6961/announce,http://tracker4.itzmx.com:2710/announce,http://tracker2.itzmx.com:6961/announce,http://tracker1.wasabii.com.tw:6969/announce,http://tracker.tvunderground.org.ru:3218/announce,http://tracker.torrentyorg.pl:80/announce,http://tracker.city9x.com:2710/announce,http://torrent.nwps.ws:80/announce,http://retracker.mgts.by:80/announce,http://private.minimafia.nl:443/announce,http://prestige.minimafia.nl:443/announce,http://open.acgtracker.com:1096/announce,http://fxtt.ru:80/announce,http://bittracker.ru:80/announce,http://tracker.tfile.me:80/announce,.phphttp://tracker.tfile.me:80/announce,http://tracker.tfile.co:80/announce,http://torrentclub.tech:6969/announce,http://share.camoe.cn:8080/announce,http://peersteers.org:80/announce,http://amigacity.xyz:6969/announce,https://tracker.fastdownload.xyz:443/announce,https://opentracker.xyz:443/announce,https://1337.abcvg.info:443/announce
chown www.www -R /etc/aria2
mkdir -p /www/wwwroot/webtools/aria2
将Aria-Ng解压上传到此目录
chown www.www -R /www/wwwroot/webtools/aria2
sudo -u www -g www aria2c --conf-path=/etc/aria2/aria2.conf -D
测试运行,设置Aria-Ng的页面配置
http://IP/tools/aria2/
设置开机运行将下面的代码加入到/etc/rc.local中exit 0前
sudo -u www -g www aria2c --conf-path=/etc/aria2/aria2.conf -D
10、测试mariadb
mysql -uroot -p
初始没有密码直接回车进入
出现MariaDB [(none)]> 即良好运行
修改root密码
update mysql.user set password=password("你的密码") where user='root';
修改root的登录方式
update mysql.user set plugin='mysql_native_password' where user='root';
flush privileges;
exit
移动mariadb的数据存储位置 有对数据库存储空间较大的需求建议移动 其他用户不建议此操作
将mariadb存储位置迁移到/www/mariadbdata
systemctl stop mysql
chown mysql.mysql /www/mariadbdata
\cp -rfp /var/lib/mysql/* /www/mariadbdata/
vi /etc/mysql/mariadb.conf.d/50-server.cnf
将参数datadir的值修改为/www/mariadbdata保存退出
备份原数据目录 tar -czvf /root/mariadb.tar.gz /var/lib/mysql
rm -rf /var/lib/mysql
重启服务 systemctl start mysql
重新测试mariadb
11、安装phpmyadmin
cd /www/wwwroot/webtools/
wget https://files.phpmyadmin.net/php ... 4-all-languages.zip #(到官方提取下载链接)
unzip phpMyAdmin-4.8.4-all-languages.zip
rm phpMyAdmin-4.8.4-all-languages.zip
mv phpMyAdmin-4.8.4-all-languages phpmyadmin
chown www.www -R phpmyadmin
cd /www/wwwroot/webtools/phpmyadmin
cp config.sample.inc.php config.inc.php
vi config.inc.php
修改$cfg['blowfish_secret'] ="任意长度大于32的数字字母字符(cookie验证使用随便设置)"保存退出
浏览访问 http://你的IP/tools/phpmyadmin/
12、安装usb设置自动挂载
由于跟系统冲突,暂时只能自动挂载fat和ext格式的U盘或移动硬盘
我设置的挂载位置 /www/usb
vi /etc/udev/udev.conf
添加
udev_root="/dev/"
udev_rules="/etc/udev/rules.d"
udev_log="err"
vi /etc/udev/rules.d/11-usbmount.rules
KERNEL=="sd[a-z][0-9]", ACTION=="add|remove", RUN+="/etc/udev/mount_usb.sh $env{ACTION} %k"
vi /etc/udev/mount_usb.sh
由于我挂载usb后 又用mount --bind重定向了目录 将/www/wwwroot/kedaoyun/data/User/我的可道云普通用户/ 目录 指向了/www/usb/kedaoyundata/我的可道云普通用户/ 所以下面代码跟我之前发的有些不同 主要是为了usb存储设备下的目录不凌乱和挂载与不挂载usb存储设备 ftp、samba都能运行不出错
#!/bin/bash
##Ubuntu修改/lib/systemd/system/systemd-udevd.service 将 MountFlags=slave 替换为 MountFlags=shared
##Debian修改/usr/lib/systemd/system/systemd-udevd.service 和 /etc/systemd/system/systemd-udevd.service
usbdisk=/www/usb
if [ "$1" == "add" ]; then
ID_FS_TYPE=$(blkid -sTYPE -ovalue /dev/$2)
case $ID_FS_TYPE in
vfat)
mount -t vfat -o noatime,umask=0,iocharset=cp936 /dev/$2 $usbdisk > /dev/null 2>&1 &&
sync &&
/etc/udev/mount_B_rewrite.sh > /dev/null 2>&1
;;
ext[2-4])
mount -o noatime /dev/$2 $usbdisk >/dev/null 2>&1 &&
sync &&
/etc/udev/mount_B_rewrite.sh > /dev/null 2>&1
;;
# exfat)
# mount -t exfat -o noatime,umask=0,iocharset=utf8 /dev/$2 $usbdisk > /dev/null 2>&1 &&
# sync &&
# /etc/udev/mount_B_rewrite.sh > /dev/null 2>&1
# ;;
# ntfs)
# mount -t ntfs-3g -o noatime,umask=0,iocharset=cp936 /dev/$2 $usbdisk > /dev/null 2>&1 &&
# sync &&
# /etc/udev/mount_B_rewrite.sh > /dev/null 2>&1
# ;;
*)
exit 0
;;
esac
elif [ "$1" == "remove" ]; then
sync
systemctl stop apache2
systemctl stop vsftpd
systemctl stop smbd
umount -f $usbdisk
/etc/udev/umount_B_rewrite.sh >/dev/null 2>&1
systemctl start apache2
systemctl start vsftpd
systemctl start smbd
fi
vi /lib/systemd/system/systemd-udevd.service
MountFlags=shared
systemctl restart udev
重定向挂载脚本 /etc/udev/mount_B_rewrite.sh
#!/bin/bash
mount --bind /www/usb/kedaoyundata/你的可道云普通用户/ /www/wwwroot/kedaoyun/data/User/你的可道云普通用户/ > /dev/null 2>&1
重定向卸载脚本/etc/udev/umount_B_rewrite.sh
#!/bin/bash
umount -f /www/wwwroot/kedaoyun/data/User/你的可道云普通用户 > /dev/null 2>&1
挂载usb存储设备ftp、samba客户端请重新打开
挂载usb存储设备ftp、samba服务需要重启
在按照本教程所有服务设置好前,请勿挂载usb存储设备,这里只是先设置!
12、安装samba
apt-get install samba
touch /etc/samba/smbpasswd
vi /etc/samba/smb.conf
[global]
workgroup=WORKGROUP
netbios name=N1
server string=N1
enable core files=no
max protocol=SMB3
passdb backend=smbpasswd
smb passwd file=/etc/samba/smbpasswd
local master=no
name resolve order=lmhosts host bcast
log file=/var/log/samba.log
log level=0
max log size=5
socket options=IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE SO_RCVBUF=65536 SO_SNDBUF=65536
unix charset=UTF8
bind interfaces only=yes
interfaces=eth0
unix extensions=no
encrypt passwords=yes
pam password change=no
obey pam restrictions=no
host msdfs=no
disable spoolss=yes
security=USER
guest ok=no
map to guest=Bad User
hide unreadable=yes
writeable=yes
directory mode=0777
create mask=0777
force directory mode=0777
max connections=10
null passwords=yes
strict allocate=no
use sendfile=yes
getwd cache=true
write cache size=2097152
min receivefile size=16384
dos filemode=yes
dos filetimes=yes
dos filetime resolution=yes
dos charset=CP936
load printers=no
printcap name=/dev/null
[H1Disk]
comment=H1Disk
path=/www/usb
writeable=yes
valid users=root
invalid users=
read list=root
write list=root
[MyFolder]
comment=MyFolder
path=/www/wwwroot/kedaoyun/data/User/你的可道云普通用户/home
writeable=yes
valid users=www
invalid users=
read list=www
write list=www
systemctl restart smbd
smbpasswd -a www
smbpasswd -a root
此配置出处:小钢炮
13、安装ftp
apt-get insatll vsftpd
将vsftpd的所有配置放在/etc/vsftpd下
mkdir /etc/vsftpd
touch /etc/vsftpd/vsftpd.chroot_list
mv /etc/vsftpd.conf /etc/vsftpd/
vi /lib/systemd/system/vsftpd.service
vi /etc/init.d/vsftpd
将其中的/etc/vsftpd.conf修改为/etc/vsftpd/vsftpd.conf
vi /etc/vsftpd/vsftpd.conf
listen=YES
listen_ipv6=NO
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
#anon_upload_enable=YES
#anon_mkdir_write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
#chown_uploads=YES
#chown_username=whoever
#xferlog_file=/var/log/vsftpd.log
#xferlog_std_format=YES
#idle_session_timeout=600
#data_connection_timeout=120
#nopriv_user=ftpsecure
#async_abor_enable=YES
#ascii_upload_enable=YES
#ascii_download_enable=YES
#ftpd_banner=Welcome to blah FTP service.
#deny_email_enable=YES
#banned_email_file=/etc/vsftpd.banned_emails
chroot_local_user=YES
chroot_list_enable=NO
chroot_list_file=/etc/vsftpd/vsftpd.chroot_list
#ls_recurse_enable=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO
utf8_filesystem=YES
chroot_local_user=YES
local_root=/www/wwwroot/kedaoyun/data/User/你的可道云普通用户/home
allow_writeable_chroot=YES
max_clients=10
max_per_ip=10
file_open_mode=0666
check_shell=NO
#pasv_min_port=50000
#pasv_max_port=51000
systemctl restart vsftpd
本地用户登录
注意:
1、ftp用户必须有家目录
2、该用户shell必须是有效shell
vi /etc/shells 添加
/usr/sbin/nologin
在所有配置都没有问题后
将可道云普通用户目录复制到一个临时目录 停止所有服务如samba、vsftp、apache2等
挂载usb存储设备、将临时目录的文件复制到对应的usb存储设备下
复制时 使用\cp -rfp复制
测试挂载与卸载usb存储都没有问题后 删除临时目录
附
apache2 启用https
首先你得有域名及域名所对应的ssl证书 没有就不用再往下看了
apache2 启用ssl
a2enmod ssl
cd /etc/apache2/sites-enabled
ln -s default-ssl.conf ../sites-available/default-ssl.conf
vi default-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /www/wwwroot/kedaoyun
<Directory "/www/wwwroot/kedaoyun">
Options FollowSymlinks
AllowOverride None
Require all granted
</Directory>
Alias /tools/ "/www/wwwroot/webtools/"
<Directory "/www/wwwroot/webtools">
Options FollowSymlinks
AllowOverride None
Require all granted
</Directory>
php_admin_value open_basedir "/www/wwwroot/kedaoyun/:/www/wwwroot/webtools:/tmp:/proc/"
SSLCertificateFile /etc/apache2/ssl/你的ssl证书_public.crt
SSLCertificateKeyFile /etc/apache2/ssl/你的ssl证书.key
SSLCertificateChainFile /etc/apache2/ssl/你的ssl证书_chain.crt
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/ssl/certs/
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/apache2/ssl.crl/
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
# BrowserMatch "MSIE [2-6]" \
# nokeepalive ssl-unclean-shutdown \
# downgrade-1.0 force-response-1.0
</VirtualHost>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
mkdir /etc/apache2/ssl/
将ssl证书上传到/etc/apache2/ssl/
systemctl restart apache2
Aria-Ng 启用https
vi /etc/aria2/aria2.conf
修改下面部分
# 是否启用 RPC 服务的 SSL/TLS 加密,
# 启用加密后 RPC 服务需要使用 https 或者 wss 协议连接
rpc-secure=true
# 在 RPC 服务中启用 SSL/TLS 加密时的证书文件,
# 使用 PEM 格式时,您必须通过 --rpc-private-key 指定私钥
rpc-certificate=你的ssl证书public
# 在 RPC 服务中启用 SSL/TLS 加密时的私钥文件
rpc-private-key=你的ssl证书.key
有问题请跟帖,觉得教程有用,请给个评分!
最后吐槽下论坛的贴代码功能,排版错误3回。。。。
再也不贴代码片段了
代码有点乱 大家凑合看吧
|
评分
-
查看全部评分
|
/1 
简体中文
繁體中文
English
日本語
Deutsch
한국 사람
بالعربية
TÜRKÇE
português
คนไทย
IP卡
狗仔卡
置顶卡
沉默卡
喧嚣卡
顶贴卡
显身卡
