Установка wordpress на virtualbox без сертификатов

hostname u1804

$ sudo apt update
$ sudo apt install mc samba
$ sudo apt install apache2

$ sudo apt-get install mariadb-server mariadb-client
$ sudo mysql_secure_installation

Enter current password for root (enter for none): Enter
Set root password? [Y/n] Y
New password: 12345
Re-enter new password: 12345
Remove anonymous users? [Y/n] Y
Disallow root login remotely? [Y/n] Y
Remove test database and access to it? [Y/n] Y
Reload privilege tables now? [Y/n] Y



$ sudo mysql -u root -p
 


$ sudo apt install php7.2 libapache2-mod-php7.2 php7.2-common php7.2-mysql php7.2-gmp php7.2-curl php7.2-intl php7.2-mbstring php7.2-xmlrpc php7.2-gd php7.2-xml php7.2-cli php7.2-zip



$ sudo nano /etc/php/7.2/apache2/php.ini

Изменить:

memory_limit = 256M

upload_max_filesize = 100M

max_execution_time = 360

#date.timezone

Сохранить.


$ sudo systemctl restart apache2.service

$ sudo nano /var/www/html/phpinfo.php

<?php phpinfo( ); ?>


Сохранить.

http://u1804/phpinfo.php

$ sudo mysql -u root -p
Enter password:

MariaDB [(none)]> CREATE DATABASE wpdatabase;

MariaDB [(none)]> CREATE USER 'wpuser'@'localhost' IDENTIFIED BY 'password';

MariaDB [(none)]> GRANT ALL ON wpdatabase.* TO 'wpuser'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION;

MariaDB [(none)]> FLUSH PRIVILEGES;

MariaDB [(none)]> EXIT;

#$ mysql -u wpuser -p wpdatabase
#$ sudo mysql -u root -p
#MariaDB [(none)]> SET PASSWORD FOR 'wpuser'@'localhost' = PASSWORD('password');


$ cd /tmp

$ wget https://wordpress.org/latest.tar.gz

$ tar -xvzf latest.tar.gz

$ sudo mv wordpress /var/www/html/example.com

$ sudo chown -R www-data:www-data /var/www/html/example.com/

$ sudo chmod -R 755 /var/www/html/example.com/

$ sudo nano /etc/apache2/sites-available/example.com.conf

<VirtualHost *:80>
  ServerName u1804
  #ServerName example.com
  #ServerAlias www.example.com
  ServerAdmin admin@example.com
  DocumentRoot /var/www/html/example.com

  <Directory /var/www/html/example.com/>
       Options FollowSymlinks
       AllowOverride All
       Require all granted
  </Directory>

     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined

  <Directory /var/www/html/example.com/>
       RewriteEngine on
       RewriteBase /
       RewriteCond %{REQUEST_FILENAME} !-f
       RewriteRule ^(.*) index.php [PT,L]
  </Directory>
</VirtualHost>

Сохранить.


$ sudo a2ensite example.com.conf

$ sudo a2enmod rewrite

$ sudo systemctl reload apache2



Имя базы данных:   wpdatabase
Имя пользователя:   wpuser
Пароль:                     password





Имя пользователя:  admin

Пароль:                    4ff97a90d4dd0d3d


Публикация ИБ на веб-сервере Apache 2.4.

Secure Apache2 HTTPS Websites with Let’s Encrypt Free SSL/TLS Certificates on Ubuntu 16.04 | 18.04

$ sudo dpkg -i 1c-enterprise83-ws_8.3.13-1690_amd64.deb
$ sudo apt-get install apache2 -y

Создаем директорию для vrd-файла:
$ sudo mkdir -p /var/www/ib/demo

А также файл конфигурации Apache:
$ sudo touch /etc/apache2/conf-available/demo.conf

Переходим в каталог со утилитой публикации веб-клиента:
$ cd /opt/1C/v8.3/x86_64/

Запускаем утилиту:
$ sudo ./webinst -apache24 -wsdir demo -dir '/var/www/ib/demo' -connstr 'Srvr="test";Ref="demo";' -confPath /etc/apache2/conf-available/demo.conf


Где /var/www/ib/demo - директория где будет создан vrd-файл, demo - имя ИБ, test - адрес сервера 1С:Предпрятие, а /etc/apache2/conf-available/demo.conf - путь до конфигурационного файла Apache.

 Подключаем конфигурацию:
$ sudo a2enconf demo

 Перезагрузка Apache:
$ sudo service apache2 reload
# systemctl restart apache2

Смотрим:
http://test/demo или https://test/demo

================================================
Стало глючить:
 
Может быть так:
$ sudo apachectl -V | grep -i mpm
AH00534: apache2: Configuration error: No MPM loaded.

А может вот так:
$ sudo apachectl -V | grep -i mpm
Server MPM:     event
$ sudo a2dismod mpm_event

$ sudo a2enmod mpm_worker

Considering conflict mpm_event for mpm_worker:
Considering conflict mpm_prefork for mpm_worker:
Enabling module mpm_worker.
To activate the new configuration, you need to run:
  service apache2 restart

$ sudo service apache2 restart


$ sudo apachectl -V | grep -i mpm
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 192.168.0.239. Set the 'ServerName' directive globally to suppress this message
Server MPM:     worker

Apache MPM worker

$ sudo nano /etc/apache2/mods-enabled/mpm_worker.conf

# worker MPM
# StartServers: initial number of server processes to start
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadLimit: ThreadsPerChild can be changed to this maximum value during a
#                         graceful restart. ThreadLimit can only be changed by stopping
#                         and starting Apache.
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestWorkers: maximum number of threads
# MaxConnectionsPerChild: maximum number of requests a server process serves

<IfModule mpm_worker_module>
        StartServers                     2
        MinSpareThreads          25
        MaxSpareThreads          75
        ThreadLimit                      64
        ThreadsPerChild          25
        MaxRequestWorkers         150
        MaxConnectionsPerChild   0
</IfModule>
================================================
$ sudo mkdir  /var/www/html/example.com/

$ sudo chown -R www-data:www-data /var/www/html/example.com/

$ sudo chmod -R 755 /var/www/html/example.com/

$ sudo nano /etc/apache2/sites-available/example.com.conf

<VirtualHost *:80>
  ServerName example.com
  ServerAlias www.example.com
  ServerAdmin admin@example.com
  DocumentRoot /var/www/html/example.com

  <Directory /var/www/html/example.com/>
       Options FollowSymlinks
       AllowOverride All
       Require all granted
  </Directory>

     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined

  <Directory /var/www/html/example.com/>
       RewriteEngine on
       RewriteBase /
       RewriteCond %{REQUEST_FILENAME} !-f
       RewriteRule ^(.*) index.php [PT,L]
  </Directory>
</VirtualHost>

Сохранить.


$ sudo a2ensite example.com.conf

$ sudo a2enmod rewrite

$ sudo systemctl reload apache2

$ sudo apt install certbot

$ sudo mkdir -p /var/lib/letsencrypt/.well-known

$ sudo chgrp www-data /var/lib/letsencrypt

$ sudo chmod g+s /var/lib/letsencrypt

$ sudo nano /etc/apache2/conf-available/well-known.conf

Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>

Сохранить.

$ sudo a2enmod ssl

$ sudo a2enmod headers


$ sudo add-apt-repository ppa:ondrej/apache2
$ sudo apt update
$ sudo apt upgrade 
$ sudo a2enmod http2


$ sudo a2enconf well-known

$ sudo systemctl restart apache2

$ sudo certbot certonly --agree-tos --email admin@example.com --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2019-08-18. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

$ sudo nano /etc/apache2/sites-available/example.com.conf


<VirtualHost *:80>
  ServerName example.com
  ServerAlias www.example.com

  Redirect permanent / https://example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName example.com
  ServerAlias www.example.com
  DocumentRoot /var/www/html/example.com

  Protocols h2 http:/1.1

  <If "%{HTTP_HOST} == 'www.example.com'">
    Redirect permanent / https://example.com/
  </If>

  ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
  CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined

  SSLEngine On
  SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
  SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

  SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
  SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
  SSLCompression off
  SSLUseStapling on

  <Directory /var/www/html/example.com/>
       Options FollowSymlinks
       AllowOverride All
       Require all granted
  </Directory>

  <Directory /var/www/html/example.com/>
       RewriteEngine on
       RewriteBase /
       RewriteCond %{REQUEST_FILENAME} !-f
       RewriteRule ^(.*) index.php [PT,L]
  </Directory>
</VirtualHost>

Сохранить.

$ sudo nano /etc/apache2/mods-available/ssl.conf
 Добавить после <IfModule mod_ssl.c> :

<IfModule mod_ssl.c>
        # Set the location of the SSL OCSP Stapling Cache
         SSLStaplingCache shmcb:/tmp/stapling_cache(128000)

Сохранить.


$ sudo systemctl restart apache2




$ sudo crontab -e


Добавить:

0 1 * * * /usr/bin/certbot renew & > /dev/null

Сохранить.
 
https://example.com/

понедельник, 24 июня 2019 г.

How to Install WordPress with Apache2 and Let’s Encrypt SSL/TLS Certificates on Ubuntu 16.04 | 18.04

How to Install WordPress with Apache2 and Let’s Encrypt SSL/TLS Certificates on Ubuntu 16.04 | 18.04

 Ubuntu 18.04 пакеты в репозитарии

# apt update
# apt upgrade
# apt install mc
# adduser user
# usermod -aG sudo user
# su user
$ cd ~
$ mkdir ~/.ssh
$ cd ~/.ssh
$ ssh-keygen -t rsa
Скачать и использовать для входа /home/user/.ssh/id_rsa
$ cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
$ rm ~/.ssh/id_rsa.pub
$ rm ~/.ssh/id_rsa
$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/authorized_keys
$ exit
# nano /etc/ssh/sshd_config

Проверить:

PasswordAuthentication no
.....

PubkeyAuthentication yes
ChallengeResponseAuthentication no

Сохранить.

$ sudo systemctl reload sshd

После проверки входа и sudo

Отключть вход root по ssh

$ sudo nano /etc/ssh/sshd_config

Исправить:

PermitRootLogin no

Сохранить.

$ sudo systemctl reload sshd
# отключим ipv6
$ sudo /bin/su -c "echo 'net.ipv6.conf.all.disable_ipv6 = 1' >> /etc/sysctl.conf"
$ sudo /bin/su -c "echo 'net.ipv6.conf.default.disable_ipv6 = 1' >> /etc/sysctl.conf"
$ sudo /bin/su -c "echo 'net.ipv6.conf.lo.disable_ipv6 = 1' >> /etc/sysctl.conf"
#sudo /bin/su -c "echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf"
$ sudo sysctl -p

$ sudo apt update
$ sudo apt install apache2

$ sudo apt-get install mariadb-server mariadb-client
$ sudo mysql_secure_installation

Enter current password for root (enter for none): Enter
Set root password? [Y/n] Y
New password: 12345
Re-enter new password: 12345
Remove anonymous users? [Y/n] Y
Disallow root login remotely? [Y/n] Y
Remove test database and access to it? [Y/n] Y
Reload privilege tables now? [Y/n] Y



$ sudo mysql -u root -p


$ sudo apt install php7.2 libapache2-mod-php7.2 php7.2-common php7.2-mysql php7.2-gmp php7.2-curl php7.2-intl php7.2-mbstring php7.2-xmlrpc php7.2-gd php7.2-xml php7.2-cli php7.2-zip



$ sudo nano /etc/php/7.2/apache2/php.ini

Изменить:

memory_limit = 256M

upload_max_filesize = 100M

max_execution_time = 360

#date.timezone

Сохранить.


$ sudo systemctl restart apache2.service

$ sudo nano /var/www/html/phpinfo.php

<?php phpinfo( ); ?>


Сохранить.

http://example.com/phpinfo.php


$ sudo mysql -u root -p
Enter password:

MariaDB [(none)]> CREATE DATABASE wpdatabase;

MariaDB [(none)]> CREATE USER 'wpuser'@'localhost' IDENTIFIED BY 'new_password_here';

MariaDB [(none)]> GRANT ALL ON wpdatabase.* TO 'wpuser'@'localhost' IDENTIFIED BY 'user_password_here' WITH GRANT OPTION;

MariaDB [(none)]> FLUSH PRIVILEGES;

MariaDB [(none)]> EXIT;




$ cd /tmp

$ wget https://wordpress.org/latest.tar.gz

$ tar -xvzf latest.tar.gz

$ sudo mv wordpress /var/www/html/example.com

$ sudo chown -R www-data:www-data /var/www/html/example.com/

$ sudo chmod -R 755 /var/www/html/example.com/

$ sudo nano /etc/apache2/sites-available/example.com.conf

<VirtualHost *:80>
  ServerName example.com
  ServerAlias www.example.com
  ServerAdmin admin@example.com
  DocumentRoot /var/www/html/example.com

  <Directory /var/www/html/example.com/>
       Options FollowSymlinks
       AllowOverride All
       Require all granted
  </Directory>

     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined

  <Directory /var/www/html/example.com/>
       RewriteEngine on
       RewriteBase /
       RewriteCond %{REQUEST_FILENAME} !-f
       RewriteRule ^(.*) index.php [PT,L]
  </Directory>
</VirtualHost>

Сохранить.


$ sudo a2ensite example.com.conf

$ sudo a2enmod rewrite

$ sudo systemctl reload apache2

$ sudo apt install certbot

$ sudo mkdir -p /var/lib/letsencrypt/.well-known

$ sudo chgrp www-data /var/lib/letsencrypt

$ sudo chmod g+s /var/lib/letsencrypt

$ sudo nano /etc/apache2/conf-available/well-known.conf

Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>

Сохранить.

$ sudo a2enmod ssl

$ sudo a2enmod headers

$ sudo a2enmod http2

$ sudo a2enconf well-known

$ sudo systemctl restart apache2



$ sudo certbot certonly --agree-tos --email admin@example.com --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2019-08-18. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

$ sudo nano /etc/apache2/sites-available/example.com.conf


<VirtualHost *:80>
  ServerName example.com
  ServerAlias www.example.com

  Redirect permanent / https://example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName example.com
  ServerAlias www.example.com
  DocumentRoot /var/www/html/example.com

  Protocols h2 http:/1.1

  <If "%{HTTP_HOST} == 'www.example.com'">
    Redirect permanent / https://example.com/
  </If>

  ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
  CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined

  SSLEngine On
  SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
  SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

  SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
  SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
  SSLCompression off
  SSLUseStapling on

  <Directory /var/www/html/example.com/>
       Options FollowSymlinks
       AllowOverride All
       Require all granted
  </Directory>

  <Directory /var/www/html/example.com/>
       RewriteEngine on
       RewriteBase /
       RewriteCond %{REQUEST_FILENAME} !-f
       RewriteRule ^(.*) index.php [PT,L]
  </Directory>
</VirtualHost>

Сохранить.

$ sudo nano /etc/apache2/mods-available/ssl.conf
 Добавить после <IfModule mod_ssl.c> :

<IfModule mod_ssl.c>
        # Set the location of the SSL OCSP Stapling Cache
         SSLStaplingCache shmcb:/tmp/stapling_cache(128000)

Сохранить.


$ sudo systemctl restart apache2




$ sudo crontab -e


Добавить:

0 1 * * * /usr/bin/certbot renew & > /dev/null

Сохранить.
 
https://example.com/



Имя базы данных:   wpdatabase
Имя пользователя:   wpuser
Пароль:                     new_password_here








воскресенье, 23 июня 2019 г.

Install WordPress + Apache, MariaDB, and HHVM in Ubuntu 18.04

How to Install LAMP Stack on Ubuntu 18.04 Server/Desktop
How to Install WordPress on Ubuntu 17.10 with Apache, MariaDB, PHP7.1
How to Properly Enable HTTPS on Apache with Let’s Encrypt on Ubuntu 16.04/17.10
How to Change Your WordPress URL (4 Easy Methods)

How To Install WordPress with LAMP on Ubuntu 18.04

Switch WordPress from HTTP to HTTPS on Ubuntu with Let’s Encrypt and Apache2
How to Install WordPress with Apache2 and Let’s Encrypt SSL/TLS Certificates on Ubuntu 16.04 | 18.04
Secure Apache2 HTTPS Websites with Let’s Encrypt Free SSL/TLS Certificates on Ubuntu 16.04 | 18.04



 Ubuntu 18.04 пакеты в репозитарии

# apt update
# apt upgrade
# apt install mc
# adduser user
# usermod -aG sudo user
# su user
$ cd ~
$ mkdir ~/.ssh
$ cd ~/.ssh
$ ssh-keygen -t rsa
Скачать и использовать для входа /home/user/.ssh/id_rsa
$ cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
$ rm ~/.ssh/id_rsa.pub
$ rm ~/.ssh/id_rsa
$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/authorized_keys
$ exit
# nano /etc/ssh/sshd_config

Проверить:

PasswordAuthentication no
.....

PubkeyAuthentication yes
ChallengeResponseAuthentication no

Сохранить.

$ sudo systemctl reload sshd

После проверки входа и sudo

Отключть вход root по ssh

$ sudo nano /etc/ssh/sshd_config

Исправить:

PermitRootLogin no

Сохранить.

$ sudo systemctl reload sshd
# отключим ipv6
$ sudo /bin/su -c "echo 'net.ipv6.conf.all.disable_ipv6 = 1' >> /etc/sysctl.conf"
$ sudo /bin/su -c "echo 'net.ipv6.conf.default.disable_ipv6 = 1' >> /etc/sysctl.conf"
$ sudo /bin/su -c "echo 'net.ipv6.conf.lo.disable_ipv6 = 1' >> /etc/sysctl.conf"
#sudo /bin/su -c "echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf"
$ sudo sysctl -p


$ sudo apt install -y apache2 apache2-utils
$ systemctl status apache2

http://example.com/

$ sudo chown www-data:www-data /var/www/html/ -R




$ sudo apt install mariadb-server mariadb-client
$ sudo systemctl status mariadb


$ sudo mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.


проверка:

$ sudo mariadb -u root

MariaDB [(none)]> exit
Bye

sudo apt install php7.2 libapache2-mod-php7.2 php7.2-mysql php-common php7.2-cli php7.2-common php7.2-json php7.2-opcache php7.2-readline

$ sudo a2enmod php7.2
Considering dependency mpm_prefork for php7.2:
Considering conflict mpm_event for mpm_prefork:
Considering conflict mpm_worker for mpm_prefork:
Module mpm_prefork already enabled
Considering conflict php5 for php7.2:
Module php7.2 already enabled


$ sudo systemctl restart apache2

$ php --version

 
$ sudo nano /var/www/html/info.php  
 
<?php phpinfo(); ?>

Сохранить.

http://example.com/info.php


$ sudo a2dismod php7.2

$ sudo apt install php7.2-fpm

$ sudo a2enmod proxy_fcgi setenvif

$ sudo a2enconf php7.2-fpm


http://example.com/info.php


$ sudo apt update && sudo apt upgrade
 
$ wget https://wordpress.org/latest.zip
 
#$ sudo apt install unzip
 
$ sudo unzip latest.zip
 
$ sudo mkdir /var/www/example.com 
 
$ sudo mv wordpress/* /var/www/example.com
 
$ sudo mariadb -u root 

MariaDB [(none)]> create database wordpress;

MariaDB [(none)]> grant all privileges on wordpress.* to wpuser@localhost identified by '12345'; 

MariaDB [(none)]> flush privileges;




Database Name: wordpress
User: wpuser
Password: 12345




$ cd /var/www/example.com/
 
$ sudo cp wp-config-sample.php wp-config.php 

 
$ sudo nano wp-config.php
 
Отредактировать: 
 
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );

/** MySQL database username */
define( 'DB_USER', 'wpuser' );

/** MySQL database password */
define( 'DB_PASSWORD', '12345' );



Сохранить.


$ sudo chown www-data:www-data /var/www/example.com/ -R


$ cd /etc/apache2/sites-available/

$ sudo nano example.com.conf

 
<VirtualHost *:80>
        ServerName example.com
        ServerAlias www.example.com

        DocumentRoot /var/www/example.com

        #This enables .htaccess file, which is needed for WordPress Permalink to work.
        <Directory "/var/www/example.com">
             AllowOverride All
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/example.com.error.log
        CustomLog ${APACHE_LOG_DIR}/example.com.access.log combined
</VirtualHost>

Сохранить.
 
 
$ sudo apache2ctl configtest
 
$ sudo a2ensite example.com.conf
 
$ sudo systemctl reload apache2 
 

Делаем сертификаты от root :

Вариант от root :
$ sudo -i
# apt install curl
# curl https://get.acme.sh | sh

Делаем сертификаты:
# /root/.acme.sh/acme.sh --issue -d example.com -w /var/www/example.com
$ ~/.acme.sh/acme.sh --issue -d example.com -w /var/www/example.com

[Mon Jun 17 12:28:42 CEST 2019] Your cert is in  /root/.acme.sh/example.com/example.com.cer
[Mon Jun 17 12:28:42 CEST 2019] Your cert key is in  /root/.acme.sh/
example.co/example.com.key
[Mon Jun 17 12:28:42 CEST 2019] The intermediate CA cert is in  /root/.acme.sh/
example.co/ca.cer
[Mon Jun 17 12:28:42 CEST 2019] And the full chain certs is there:  /root/.acme.sh/
example.com/fullchain.cer


$ sudo nano /etc/apache2/sites-enabled/example.com.conf


 <IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName example.com
    DocumentRoot /var/www/example.com
    SSLEngine on
    SSLCertificateFile      /root/.acme.sh/example.com/example.com.cer
    SSLCertificateKeyFile  /root/.acme.sh/example.com/example.com.key
    #SSLCertificateChainFile /root/.acme.sh/example.com/fullchain.cer
</VirtualHost>

sudo nano /etc/apache2/sites-available/zaz01.info-ssl.conf
 
sudo nano /etc/apache2/sites-available/site.conf 
 
<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName example.com
    DocumentRoot /var/www/example.com
    SSLEngine on
    SSLCertificateFile      /root/.acme.sh/example.com/example.com.cer
    SSLCertificateKeyFile  /root/.acme.sh/example.com/example.com.key
    #SSLCertificateChainFile /root/.acme.sh/example.com/fullchain.cer
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =example.com
    RewriteRule ^ https://example.com%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<IfModule>
 
$ sudo a2enmod ssl 

$ sudo a2enmod rewrite
 
sudo a2ensite site 

пятница, 21 июня 2019 г.

Публикация ИБ на веб-сервере Apache 2.4.


Secure Apache2 HTTPS Websites with Let’s Encrypt Free SSL/TLS Certificates on Ubuntu 16.04 | 18.04

$ sudo dpkg -i 1c-enterprise83-ws_8.3.13-1690_amd64.deb$ sudo apt-get install apache2 -y

Создаем директорию для vrd-файла:
$ sudo mkdir -p /var/www/ib/demo

А также файл конфигурации Apache:
$ sudo touch /etc/apache2/conf-available/demo.conf

Переходим в каталог со утилитой публикации веб-клиента:
$ cd /opt/1C/v8.3/x86_64/

Запускаем утилиту:
$ sudo ./webinst -apache24 -wsdir demo -dir '/var/www/ib/demo' -connstr 'Srvr="test";Ref="demo";' -confPath /etc/apache2/conf-available/demo.conf


Где /var/www/ib/demo - директория где будет создан vrd-файл, demo - имя ИБ, test - адрес сервера 1С:Предпрятие, а /etc/apache2/conf-available/demo.conf - путь до конфигурационного файла Apache.

 Подключаем конфигурацию:
$ sudo a2enconf demo

 Перезагрузка Apache:
$ sudo service apache2 reload
# systemctl restart apache2

Смотрим:
http://test/demo или https://test/demo

Может быть так:
$ sudo apachectl -V | grep -i mpm
AH00534: apache2: Configuration error: No MPM loaded.

А может вот так:
$ sudo apachectl -V | grep -i mpm
Server MPM:     event
$ sudo a2dismod mpm_event

$ sudo a2enmod mpm_worker

Considering conflict mpm_event for mpm_worker:
Considering conflict mpm_prefork for mpm_worker:
Enabling module mpm_worker.
To activate the new configuration, you need to run:
  service apache2 restart

$ sudo service apache2 restart


$ sudo apachectl -V | grep -i mpm
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 192.168.0.239. Set the 'ServerName' directive globally to suppress this message
Server MPM:     worker

Apache MPM worker

$ sudo nano /etc/apache2/mods-enabled/mpm_worker.conf

# worker MPM
# StartServers: initial number of server processes to start
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadLimit: ThreadsPerChild can be changed to this maximum value during a
#                         graceful restart. ThreadLimit can only be changed by stopping
#                         and starting Apache.
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestWorkers: maximum number of threads
# MaxConnectionsPerChild: maximum number of requests a server process serves

<IfModule mpm_worker_module>
        StartServers                     2
        MinSpareThreads          25
        MaxSpareThreads          75
        ThreadLimit                      64
        ThreadsPerChild          25
        MaxRequestWorkers         150
        MaxConnectionsPerChild   0
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Делаем сертификаты  вариант от root :


$ sudo mkdir /var/www/example.com  
$ sudo nano /etc/apache2/conf-available/example.com.conf

<VirtualHost *:80>
        ServerName example.com
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/example.com
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Сохранить.

Подключаем конфигурацию:
$ sudo a2enconf example.com  

 Перезагрузка Apache:
$ sudo service apache2 reload
# systemctl restart apache2

Проверка:

http://example.com/demo/

Кроме того, мы можем включить поддержку ssl
для нашего веб-сервера.


Делаем сертификаты есть варианты либо от root :

Вариант от root :
$ sudo -i
# curl https://get.acme.sh | sh

Делаем сертификаты:
# /root/.acme.sh/acme.sh --issue -d example.com -w /var/www/example.com
$ ~/.acme.sh/acme.sh --issue -d example.com -w /var/www/example.com

[Mon Jun 17 12:28:42 CEST 2019] Your cert is in  /root/.acme.sh/example.com/example.com.cer
[Mon Jun 17 12:28:42 CEST 2019] Your cert key is in  /root/.acme.sh/
example.co/example.com.key
[Mon Jun 17 12:28:42 CEST 2019] The intermediate CA cert is in  /root/.acme.sh/
example.co/ca.cer
[Mon Jun 17 12:28:42 CEST 2019] And the full chain certs is there:  /root/.acme.sh/
example.com/fullchain.cer



Для этого выполните:

$ sudo a2enmod ssl 
$ sudo a2enmod rewrite

$ sudo nano /etc/apache2/sites-available/site.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName example.com
    DocumentRoot /var/www/example.com
    SSLEngine on
    SSLCertificateFile      /root/.acme.sh/example.com/example.com.cer
    SSLCertificateKeyFile  /root/.acme.sh/example.com/example.com.key
    #SSLCertificateChainFile /root/.acme.sh/example.com/fullchain.cer
</VirtualHost> 

Сохранить.

$ sudo a2ensite site
#(отключить sudo a2dissite site)


Перезагрузка Apache:
#$ sudo systemctl restart apache2
$ sudo service apache2 reload

https://example.com/demo/


Обратить внимание, если ставили сертификаты для пользователя root автоматом:

$ sudo crontab -l
0 2 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

Как сделать так, чтобы сайт работал только с SSL шифрованием

$ sudo nano /etc/apache2/sites-available/site.conf

Установка 1С 8.3 в файловом варианте на CentOS 7.3 и публикация базы через WEB сервер APACHE


среда, 19 июня 2019 г.

Настройка спящих сеансов

Настройка спящих сеансов
Отличие понятий сеанс и соединение в «1С:Предприятие 8»
Автоматическое удаление спящих сеансов на сервере 1С
Настройка завершения и засыпания сеансов пользоватлей в 1С Предприятии 8.3.5
 

При нештатном завершении клиентского приложения сеанс удерживается еще 20 минут.
(passive-session-hibernate-time   : 1200)
После этого в версиях до 8.3.5 сеанс удалялся. С версии 8.3.5 сеанс засыпает в в спящем состоянии по умолчанию удерживается еще сутки.
(hibernate-session-terminate-time : 86400)
hibernate                        : yes

Спящий сеанс не занимает клиентскую лицензию «1С: Предприятие 8».
Но нужно настраивать сеть или компьютеры.


session                          : a22fcea4-90b2-11e9-6399-309c23451546
session-id                       : 1
infobase                         : 139c0e74-7bbc-11e9-a58b-309c23451546
connection                       : 00000000-0000-0000-0000-000000000000
process                          : 00000000-0000-0000-0000-000000000000
user-name                        : НинаИвановна1
host                             : PerovaNI
app-id                           : 1CV8
locale                           : ru_RU
started-at                       : 2019-06-17T06:47:31
last-active-at                   : 2019-06-17T07:59:44
hibernate                        : yes
passive-session-hibernate-time   : 1200
hibernate-session-terminate-time : 86400


session                          : b34d4a94-90bd-11e9-6399-309c23451546
session-id                       : 4
infobase                         : 139c0e74-7bbc-11e9-a58b-309c23451546
connection                       : b26c0462-90bd-11e9-6399-309c23451546
process                          : 578ef416-78c9-11e9-c182-309c23451546
user-name                        : НинаИвановна1
host                             : PerovaNI
app-id                           : 1CV8
locale                           : ru_RU
started-at                       : 2019-06-17T08:06:44
last-active-at                   : 2019-06-17T10:59:56
hibernate                        : no
passive-session-hibernate-time   : 1200
hibernate-session-terminate-time : 86400

вторник, 18 июня 2019 г.

Shadowsocks over websocket (HTTPS) use v2ray-plugin

Yet another SIP003 plugin for shadowsocks, based on v2ray
Shadowsocks over websocket (HTTPS)

Ubuntu 18.04 пакеты в репозитарии

# apt update
# apt upgrade
# apt install mc
# adduser user
# usermod -aG sudo user
# su user
$ cd ~
$ mkdir ~/.ssh
$ cd ~/.ssh
$ ssh-keygen -t rsa
Скачать и использовать для входа /home/user/.ssh/id_rsa
$ cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
$ rm ~/.ssh/id_rsa.pub
$ rm ~/.ssh/id_rsa
$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/authorized_keys
$ exit
# nano /etc/ssh/sshd_config

Проверить:

PasswordAuthentication no
.....

PubkeyAuthentication yes
ChallengeResponseAuthentication no

Сохранить.

$ sudo systemctl reload sshd

После проверки входа и sudo

Отключть вход root по ssh

$ sudo nano /etc/ssh/sshd_config

Исправить:

PermitRootLogin no

Сохранить.

$ sudo systemctl reload sshd
# отключим ipv6
$ sudo /bin/su -c "echo 'net.ipv6.conf.all.disable_ipv6 = 1' >> /etc/sysctl.conf"
$ sudo /bin/su -c "echo 'net.ipv6.conf.default.disable_ipv6 = 1' >> /etc/sysctl.conf"
$ sudo /bin/su -c "echo 'net.ipv6.conf.lo.disable_ipv6 = 1' >> /etc/sysctl.conf"
#sudo /bin/su -c "echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf"
$ sudo sysctl -p

Getting started with acme.sh Let's Encrypt SSL client
Установка бесплатного ssl-сертификата Let’s Encrypt

Должен быть домен  example.com


На 80 порту работать web сервер

$ sudo apt install nginx
$ mkdir /var/www/example.com -p

$ sudo nano /etc/nginx/conf.d/example.com.conf


server {
      listen 80;
      server_name example.com;

      root /var/www/example.com/;

      location ~ /.well-known/acme-challenge {
         allow all;
      }
}
 
Сохранить.

$ sudo systemctl reload nginx

Делаем сертификаты есть варианты либо от root либо от user:

Вариант от root :
$ sudo -i
# curl https://get.acme.sh | sh

Делаем сертификаты:
# /root/.acme.sh/acme.sh --issue -d example.com -w /var/www/example.com
$ ~/.acme.sh/acme.sh --issue -d example.com -w /var/www/example.com

[Mon Jun 17 12:28:42 CEST 2019] Your cert is in  /root/.acme.sh/example.com/example.com.cer
[Mon Jun 17 12:28:42 CEST 2019] Your cert key is in  /root/.acme.sh/
example.co/example.com.key
[Mon Jun 17 12:28:42 CEST 2019] The intermediate CA cert is in  /root/.acme.sh/
example.co/ca.cer
[Mon Jun 17 12:28:42 CEST 2019] And the full chain certs is there:  /root/.acme.sh/
example.com/fullchain.cer

Вариант от user :
Внимание, нужно дать права на папку!!!

$ sudo chown -R user:user /var/www/example.com 

$ curl https://get.acme.sh | sh

Делаем сертификаты:
$ ~/.acme.sh/acme.sh --issue -d example.com -w /var/www/example.com



[Tue Jun 17 20:27:42 CEST 2019] Your cert is in /home/user/.acme.sh/example.com/example.com.cer
[Tue Jun 17 20:27:42 CEST 2019] Your cert key is in /home/user/.acme.sh/example.com/example.com.key
[Tue Jun 17 20:27:42 CEST 2019] The intermediate CA cert is in /home/user/.acme.sh/example.com/ca.cer
[Tue Jun 17 20:27:42 CEST 2019] And the full chain certs is there: /home/user/.acme.s/example.com/fullchain.cer

Обратить внимание, если ставили сертификаты для пользователя user автоматом:

$ crontab -l

0 2 * * * "/home/user/.acme.sh"/acme.sh --cron --home "/home/user/.acme.sh" > /dev/null

Соответственно для root автоматом:

$ sudo crontab -l

0 2 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null





следует добавить для user (аналогично для root)

$ crontab -l

3 2 * * * sudo systemctl restart shadowsocks-libev.service


$ sudo apt install fail2ban


Установка shadowsocks-libev

$ sudo apt install shadowsocks-libev
$ wget https://github.com/shadowsocks/v2ray-plugin/releases/download/v1.1.0/v2ray-plugin-linux-amd64-v1.1.0.tar.gz
$ tar -xf v2ray-plugin-linux-amd64-v1.1.0.tar.gz
$ sudo mv v2ray-plugin_linux_amd64 /etc/shadowsocks-libev/v2ray-plugin
$ sudo chmod +x  /etc/shadowsocks-libev/v2ray-plugin
#$ sudo setcap 'cap_net_bind_service=+eip' /etc/shadowsocks-libev/v2ray-plugin
$ sudo setcap 'cap_net_bind_service=+ep' /etc/shadowsocks-libev/v2ray-plugin
$ sudo setcap 'cap_net_bind_service=+ep' /usr/bin/ss-server

Проверяем:

$ sudo systemctl stop  shadowsocks-libev.service

$ sudo nano /etc/shadowsocks-libev/config.json

{
    "server":"0.0.0.0",
    "server_port":443,
    "local_port":1080,
    "password":"password",
    "timeout":300,
    "method":"aes-256-cfb",
    "fast_open":true,
    "plugin":"/etc/shadowsocks-libev/v2ray-plugin",
    "plugin_opts":"server;tls;host=
example.com",
    "nameserver":"1.1.1.1",
    "reuse_port":true
}



Сохранить.

Впечатление такое что при запуске shadowsocks-libev.service
не видит tls 
"plugin_opts":"server;tls;host=example.com",

На самом деле, для того что бы служба shadowsocks-libev.service увидела сертификаты нужно явно указать поьзователя root или user


Правим службу shadowsocks-libev.service

$ sudo nano /lib/systemd/system/shadowsocks-libev.service

Правим User=nobody

User=root

или

User=user

Сохранить.

$ sudo systemctl daemon-reload  
$ sudo systemctl restart shadowsocks-libev.service
$ sudo systemctl status shadowsocks-libev.service

Скачаем клиент:
shadowsocks-windows

Скачаем плагин:
v2ray-plugin-windows-386-v1.1.0.tar.gz


Update !!!

Встроенный защитник windows 10 ругается на файл
v2ray-plugin_windows_386.exe




Поэтому используем что бы не думалось:
v2ray-plugin_windows_amd64.exe

Скачаем плагин:
v2ray-plugin_windows_amd64.exe



Переименуем и положим в папку Shadowsocks-4.1.6



Настроим:



 

Проверка скорости интернета при канале 50 Mbps :



Установка на клиенте Ubuntu 18.04

shadowsocks-libev на клиенте под линуксом сразу запустить не смог, собирал несколько раз, пока не выяснил, что есть фича - серверный порт должен совпадать с локальным !!!

$ sudo apt install shadowsocks-libev
=========================================================================
для Ubuntu 16.04 заменяем  sudo apt install shadowsocks-libev на :

$ sudo apt update && sudo apt upgrade -y && sudo apt install software-properties-common nano git -y && sudo add-apt-repository ppa:max-c-lv/shadowsocks-libev && sudo apt update && sudo apt install shadowsocks-libev -y

=========================================================================

$ wget https://github.com/shadowsocks/v2ray-plugin/releases/download/v1.1.0/v2ray-plugin-linux-amd64-v1.1.0.tar.gz
$ tar -xf v2ray-plugin-linux-amd64-v1.1.0.tar.gz
$ sudo mv v2ray-plugin_linux_amd64 /etc/shadowsocks-libev/v2ray-plugin
$ sudo chmod +x  /etc/shadowsocks-libev/v2ray-plugin
$ sudo setcap 'cap_net_bind_service=+ep' /etc/shadowsocks-libev/v2ray-plugin
#$ sudo setcap 'cap_net_bind_service=+ep' /usr/bin/ss-server
$ sudo setcap 'cap_net_bind_service=+ep' /usr/bin/ss-local

Обратить внимание на Ubuntu серверный порт должен совпадать с локальным портом!!!

$ sudo nano /etc/shadowsocks-libev/config.json
Обратить внимание от сервера отличается отсутствием:
"plugin_opts":"server",

{
    "server":"example.com",
    "server_port":443,
    "local_port":443,
    "password":"password",
    "timeout":300,
    "method":"aes-256-cfb",
    "fast_open":true,
    "plugin":"/etc/shadowsocks-libev/v2ray-plugin",
    "plugin_opts":"tls;host=example.com",
    "nameserver":"1.1.1.1",
    "reuse_port": true
}

Сохранить.

$ sudo systemctl stop shadowsocks-libev.service && sudo systemctl disable shadowsocks-libev.service

Самое время проверить, или если захочется запускать вручную :

$ ss-local -s "example.com" -p 443 -l 443 -k "password" -m "aes-256-cfb" --plugin "/etc/shadowsocks-libev/v2ray-plugin"  -v

Делаем сервис для запуска:

$ sudo nano /etc/systemd/system/ss-local.service

[Unit]
Description=Daemon to start Shadowsocks Client
Wants=network-online.target
After=network.target

[Service]
Type=simple
ExecStart=/usr/bin/ss-local -c /etc/shadowsocks-libev/config.json

[Install]
WantedBy=multi-user.target

Сохранить.

$ sudo systemctl daemon-reload
$ sudo systemctl enable ss-local.service
$ sudo systemctl restart ss-local.service

$ sudo  systemctl status ss-local.service

$ sudo journalctl --unit=ss-local.service

воскресенье, 16 июня 2019 г.

Shadowsocks over websocket (HTTPS) use v2ray-plugin

Yet another SIP003 plugin for shadowsocks, based on v2ray
Shadowsocks over websocket (HTTPS)

Ubuntu 18.04 пакеты в репозитарии

# apt update
# apt upgrade
# apt install mc
# adduser user
# usermod -aG sudo user
# su user
$ cd ~
$ mkdir ~/.ssh
$ cd ~/.ssh
$ ssh-keygen -t rsa
Скачать и использовать для входа /home/user/.ssh/id_rsa
$ cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
$ rm ~/.ssh/id_rsa.pub
$ rm ~/.ssh/id_rsa
$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/authorized_keys
$ exit
# nano /etc/ssh/sshd_config

Проверить:

PasswordAuthentication no
.....

PubkeyAuthentication yes
ChallengeResponseAuthentication no

Сохранить.

$ sudo systemctl reload sshd

После проверки входа и sudo

Отключть вход root по ssh

$ sudo nano /etc/ssh/sshd_config

Исправить:

PermitRootLogin no

Сохранить.

$ sudo systemctl reload sshd
# отключим ipv6
$ sudo /bin/su -c "echo 'net.ipv6.conf.all.disable_ipv6 = 1' >> /etc/sysctl.conf"
$ sudo /bin/su -c "echo 'net.ipv6.conf.default.disable_ipv6 = 1' >> /etc/sysctl.conf"
$ sudo /bin/su -c "echo 'net.ipv6.conf.lo.disable_ipv6 = 1' >> /etc/sysctl.conf"
#sudo /bin/su -c "echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf"
$ sudo sysctl -p

Getting started with acme.sh Let's Encrypt SSL client
Установка бесплатного ssl-сертификата Let’s Encrypt

Должен быть домен  example.com


На 80 порту работать web сервер

$ sudo apt install nginx
$ mkdir /var/www/example.com -p

$ sudo nano /etc/nginx/conf.d/example.com.conf

server {
      listen 80;
      server_name example.com;

      root /var/www/example.com/;

      location ~ /.well-known/acme-challenge {
         allow all;
      }
}
 
Сохранить.

$ sudo systemctl reload nginx


$ sudo -i
# curl https://get.acme.sh | sh

Делаем сертификаты:
# /root/.acme.sh/acme.sh --issue -d example.com -w /var/www/example.com

[Mon Jun 17 12:28:42 CEST 2019] Your cert is in  /root/.acme.sh/example.com/example.com.cer
[Mon Jun 17 12:28:42 CEST 2019] Your cert key is in  /root/.acme.sh/
example.co/example.com.key
[Mon Jun 17 12:28:42 CEST 2019] The intermediate CA cert is in  /root/.acme.sh/
example.co/ca.cer
[Mon Jun 17 12:28:42 CEST 2019] And the full chain certs is there:  /root/.acme.sh/
example.com/fullchain.cer
Установка shadowsocks-libev

$ sudo apt install shadowsocks-libev
$ wget https://github.com/shadowsocks/v2ray-plugin/releases/download/v1.1.0/v2ray-plugin-linux-amd64-v1.1.0.tar.gz
$ tar -xf v2ray-plugin-linux-amd64-v1.1.0.tar.gz
$ sudo mv v2ray-plugin_linux_amd64 /etc/shadowsocks-libev/v2ray-plugin
$ sudo chmod +x  /etc/shadowsocks-libev/v2ray-plugin
#$ sudo setcap 'cap_net_bind_service=+eip' /etc/shadowsocks-libev/v2ray-plugin
$ sudo setcap 'cap_net_bind_service=+ep' /etc/shadowsocks-libev/v2ray-plugin
$ sudo setcap 'cap_net_bind_service=+ep' /usr/bin/ss-server

Проверяем:

$ sudo systemctl stop  shadowsocks-libev.service

$ sudo nano /etc/shadowsocks-libev/config.json

{
    "server":"0.0.0.0",
    "server_port":443,
    "local_port":1080,
    "password":"password",
    "timeout":300,
    "method":"aes-256-cfb",
    "fast_open":true,
    "plugin":"/etc/shadowsocks-libev/v2ray-plugin",
    "plugin_opts":"server;tls;host=
example.com",
    "nameserver": "1.1.1.1",
    "reuse_port": true
}
 

Сохранить.

Впечатление такое что при запуске shadowsocks-libev.service
не видит tls 
"plugin_opts":"server;tls;host=zaz01.info",

Поэтому запускать будем (обязательно попробовать):
$ sudo -i
# cd /etc/shadowsocks-libev
# ss-server -c config.json -p 443 --plugin v2ray-plugin --plugin-opts "server;tls;host=example.com;cert=/root/.acme.sh/example.com/fullchain.cer;key=/root/.acme.sh/example.com/example.com.key;loglevel none"


Далее копируем сертификаты

$ sudo cp /root/.acme.sh/example.com/fullchain.cer /etc/shadowsocks-libev/
$ sudo cp /root/.acme.sh/example.com/example.com.key /etc/shadowsocks-libev/

Правим службу shadowsocks-libev.service

$ sudo nano /lib/systemd/system/shadowsocks-libev.service

Правим ExecStart:

#  This file is part of shadowsocks-libev.
#
#  Shadowsocks-libev is free software; you can redistribute it and/or modify
#  it under the terms of the GNU General Public License as published by
#  the Free Software Foundation; either version 3 of the License, or
#  (at your option) any later version.
#
#  This file is default for Debian packaging. See also
#  /etc/default/shadowsocks-libev for environment variables.

[Unit]
Description=Shadowsocks-libev Default Server Service
Documentation=man:shadowsocks-libev(8)
After=network.target

[Service]
Type=simple
EnvironmentFile=/etc/default/shadowsocks-libev
User=nobody
Group=nogroup
LimitNOFILE=32768

#ExecStart=/usr/bin/ss-server -c $CONFFILE $DAEMON_ARGS
ExecStart=/usr/bin/ss-server -c /etc/shadowsocks-libev/config.json -p 443 --plugin /etc/shadowsocks-libev/v2ray-plugin --plugin-opts "server;tls;host=zaz01.info;cert=/etc/shadowsocks-libev/fullchain.cer;key=/etc/shadowsocks-libev/example.com.key;loglevel none"
[Install]
WantedBy=multi-user.target


Сохранить.


$ sudo systemctl daemon-reload  
$ sudo systemctl restart shadowsocks-libev.service
$ sudo systemctl status shadowsocks-libev.service



Скачаем клиент:
shadowsocks-windows

Скачаем плагин:
v2ray-plugin-windows-386-v1.1.0.tar.gz

Переименуем и положим в папку Shadowsocks-4.1.6



Настроим:


 

Проверка скорости интернета при канале 50 Mbps :



Установка на клиенте Ubuntu 18.04

shadowsocks-libev на клиенте под линуксом сразу запустить не смог, собирал несколько раз, пока не выяснил, что есть фича - серверный порт должен совпадать с локальным !!!

$ sudo apt install shadowsocks-libev
=========================================================================
для Ubuntu 16.04 заменяем  sudo apt install shadowsocks-libev на :

$ sudo apt update && sudo apt upgrade -y && sudo apt install software-properties-common nano git -y && sudo add-apt-repository ppa:max-c-lv/shadowsocks-libev && sudo apt update && sudo apt install shadowsocks-libev -y

=========================================================================

$ wget https://github.com/shadowsocks/v2ray-plugin/releases/download/v1.1.0/v2ray-plugin-linux-amd64-v1.1.0.tar.gz
$ tar -xf v2ray-plugin-linux-amd64-v1.1.0.tar.gz
$ sudo mv v2ray-plugin_linux_amd64 /etc/shadowsocks-libev/v2ray-plugin
$ sudo chmod +x  /etc/shadowsocks-libev/v2ray-plugin
$ sudo setcap 'cap_net_bind_service=+ep' /etc/shadowsocks-libev/v2ray-plugin
#$ sudo setcap 'cap_net_bind_service=+ep' /usr/bin/ss-server
$ sudo setcap 'cap_net_bind_service=+ep' /usr/bin/ss-local

Обратить внимание на Ubuntu серверный порт должен совпадать с локальным портом!!!

$ sudo nano /etc/shadowsocks-libev/config.json
Обратить внимание от сервера отличается отсутствием:
"plugin_opts":"server",

{
    "server":"example.com",
    "server_port":443,
    "local_port":443,
    "password":"password",
    "timeout":300,
    "method":"aes-256-cfb",
    "fast_open":true,
    "plugin":"/etc/shadowsocks-libev/v2ray-plugin",
    "plugin_opts":"tls;host=example.com",
    "nameserver":"1.1.1.1",
    "reuse_port": true
}

Сохранить.

$ sudo systemctl stop shadowsocks-libev.service && sudo systemctl disable shadowsocks-libev.service

Самое время проверить, или если захочется запускать вручную :

$ ss-local -s "example.com" -p 443 -l 443 -k "password" -m "aes-256-cfb" --plugin "/etc/shadowsocks-libev/v2ray-plugin"  -v

Сложило впечатление что на Ubuntu 20.04 конфиг не считывается
ss-local -c config.json

На Ubuntu 20.04 заработало только так:

ss-local -s "example.com" -p 443 -l 443 -k "password" -m "aes-256-cfb" --plugin "/etc/shadowsocks-libev/v2ray-plugin" --plugin-opts "tls;host=example.com" -v

Делаем сервис для запуска:

$ sudo nano /etc/systemd/system/ss-local.service

[Unit]
Description=Daemon to start Shadowsocks Client
Wants=network-online.target
After=network.target

[Service]
Type=simple
ExecStart=/usr/bin/ss-local -c /etc/shadowsocks-libev/config.json
# Ubuntu 20.04 раскомментировать:
#ExecStart=/usr/bin/ss-local -s "example.com" -p 443 -l 443 -k "password" -m "aes-256-cfb" --plugin "/etc/shadowsocks-libev/v2ray-plugin" --plugin-opts "tls;host=example.com

[Install]
WantedBy=multi-user.target

Сохранить.

$ sudo systemctl daemon-reload
$ sudo systemctl enable ss-local.service
$ sudo systemctl restart ss-local.service

$ sudo  systemctl status ss-local.service

$ sudo journalctl --unit=ss-local.service