快速创建TLS证书并部署到Docker服务

将下方代码保存为certbot.sh,修改头部变量后,上传到装有openssl组件的linux服务器上运行即可。

#!/bin/sh
#

export PASSWORD="密码"

export COUNTRY="CN"
export STATE="省"
export CITY="市"
export ORGANIZATION="公司名称"
export ORGANIZATIONAL_UNIT="Dev"
export COMMON_NAME="域名"
export EMAIL="电子邮件地址"

export HOST_NAME="COMMON_NAME"
export IP=`pingHOST_NAME -c 1 | sed '1{s/[^(]*(//;s/).*//;q}'`

export DIR="cert-HOST_NAME"

# Workspace

[ -dDIR ] || mkdir -p DIR

echo "PASSWORD:PASSWORD" > DIR/!nfo.txt
echo "HOST_NAME:HOST_NAME" >> DIR/!nfo.txt
echo "HOST_IP:IP" >> DIR/!nfo.txt

# Generate CA

openssl genrsa -aes256 -passout "pass:PASSWORD" -out "DIR/ca-key.pem" 4096

openssl req -new -x509 -days 3650 -key "DIR/ca-key.pem" -sha256 -out "DIR/ca.pem" -passin "pass:PASSWORD" -subj "/C=COUNTRY/ST=STATE/L=CITY/O=ORGANIZATION/OU=ORGANIZATIONAL_UNIT/CN=COMMON_NAME/emailAddress=EMAIL"

# Generate Server Certs

openssl genrsa -out "DIR/server-key.pem" 4096

openssl req -subj "/CN=HOST_NAME" -sha256 -new -key "DIR/server-key.pem" -out DIR/server.csr

echo "subjectAltName = DNS:HOST_NAME,IP:IP,IP:127.0.0.1">DIR/server.cnf
echo "extendedKeyUsage = serverAuth" >> DIR/server.cnf

openssl x509 -req -days 3650 -sha256 -inDIR/server.csr -passin "pass:PASSWORD" -CA "DIR/ca.pem" -CAkey "DIR/ca-key.pem" -CAcreateserial -out "DIR/server-cert.pem" -extfile DIR/server.cnf

# Generate Client Certs

openssl genrsa -out "DIR/client-key.pem" 4096

openssl req -subj '/CN=client' -new -key "DIR/client-key.pem" -outDIR/client.csr

echo "extendedKeyUsage = clientAuth" > DIR/client.cnf

openssl x509 -req -days 3650 -sha256 -inDIR/client.csr -passin "pass:PASSWORD" -CA "DIR/ca.pem" -CAkey "DIR/ca-key.pem" -CAcreateserial -out "DIR/client-cert.pem" -extfile DIR/client.cnf

# Modify Certs Permission

chmod 0400DIR/*-key.pem
chmod 0444 DIR/ca.pemDIR/*-cert.pem

# Remove Temporary Files

rm -f DIR/*.csrDIR/*.cnf

如果需要部署到Docker服务,请继续

# Install To Docker Daemon

mkdir -p /etc/docker/certs.d
cp DIR/ca.pem /etc/docker/certs.d/
cpDIR/server-*.pem /etc/docker/certs.d/

cat <<EOF >/etc/docker/daemon.json
{
    "tlsverify": true,
    "tlscacert": "/etc/docker/certs.d/ca.pem",
    "tlscert": "/etc/docker/certs.d/server-cert.pem",
    "tlskey": "/etc/docker/certs.d/server-key.pem",
    "hosts": ["tcp://0.0.0.0:2376", "unix:///var/run/docker.sock"]
}
EOF

# Modify Systemd Service

if [ -f /lib/systemd/system/docker.service ]; then
    sed -i 's#\["tcp:#\["fd://", "tcp:#' /etc/docker/daemon.json
    sed -i 's# -H fd://##' /lib/systemd/system/docker.service
    systemctl daemon-reload && systemctl restart docker
fi

特别注意

在systemd系统上-H已设置,因此无法使用hosts键来添加侦听地址,请参阅 https://docs.docker.com/install/linux/linux-postinstall/#configuring-remote-access-with-systemd-unit-file

自动生成百度云加速IP白名单

百度云加速的ip段非常之多,官方给了一个帖子来列出这些ip,获取起来十分不便。
倍感痛苦的我,最终还是决定写个PHP脚本自动更新Nginx的real_ip规则。其他规则也可以参考修改。

最新源码参看:https://github.com/anrip/baidu-yunjiasu-ip

<?php
bdip = read_ip_list('https://ticket-baidu.kf5.com/posts/view/148628');cfip = read_ip_list('https://www.cloudflare.com/ips-v4');
list = array_merge(bdip, cfip);

make_nginx_real_ip_conf(list);

///////////////////////////////////////////////////////////

function make_nginx_real_ip_conf(list) {
    foreach(list as &ip) {ip = "set_real_ip_from {ip};";
    }text = implode("\n", list);
    file_put_contents('nginx_real_ip.conf',text);
}

function read_ip_list(site) {html = file_get_contents(site);
    if(!preg_match_all('/\d+\.\d+\.\d+\.\d+\/\d+/',html, list)) {
        exit("读取远程数据失败: {site}\n");
    }
    return sort_ip_list(list[0]);
}

function sort_ip_list(list) {
    rets = array();
    foreach(array_unique(list) as val) {ip = ip2long(explode('/', val)[0]);ip = sprintf('%u', floatval(ip));rets[ip] =val;
    }
    ksort(rets);
    return array_values(rets);
}

Ubuntu/Linux 配置 Vlan

很久以前配置过,后来都是基于管理交换机配置;今天被逼无奈,又一次必须使用,怎么也弄不好,原来配置方式变了,郁闷!!

#开启内核支持
modprobe 8021q
echo "8021q" >>/etc/modules

#安装配置工具
aptitude install vlan

#增加虚拟接口
vconfig add eth1 30

以下内容添加到 /etc/network/interfaces

auto eth1

auto eth1.30
iface eth1.30 inet static
    address 10.20.30.19
    netmask 255.255.255.0
    network 10.20.30.0
    broadcast 10.20.30.255