toolhz/docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
docs/Linux/Linux开源软件配置.md
toolhz 564285cf07 初始文档
2026-01-14 11:27:47 +08:00

430 lines
11 KiB
Markdown
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# frp配置
## 1.配置systemd服务
```sh
sudo vim /etc/systemd/system/frps.service
# 配置文件内容
[Unit]
# 服务名称,可自定义
Description = frp server
After = network.target syslog.target
Wants = network.target
[Service]
Type = simple
# 启动frps的命令需修改为您的frps的安装路径
ExecStart = /path/to/frps -c /path/to/frps.toml
[Install]
WantedBy = multi-user.target
```
## 2.tls双向认证加密
### a.创建加密证书
```sh
# 创建目录存放证书
mkdir frp_certs && cd frp_certs
# 拷贝openssl默认配置文件到当前目录
cp /etc/ssl/openssl.cnf ./
# 生成CA秘钥
openssl genrsa -out frp_ca.key 2048
# 生成CA证书
openssl req -x509 -new -nodes -key frp_ca.key -subj "/CN=frp-ca" -days 3650 -out frp_ca.crt
# 创建客户端证书专用配置文件,按实际修改客户端ip地址
cat > frpc.cnf << EOF
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[ req_distinguished_name ]
C = CN
ST = Beijing
L = Beijing
O = Frp
CN = frp-client
[ v3_req ]
subjectAltName = @alt_names
[ alt_names ]
IP.1 = 192.168.140.122
EOF
# 创建服务端专用配置文件,按实际修改服务器ip地址
cat > frps.cnf << EOF
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[ req_distinguished_name ]
C = CN
ST = Beijing
L = Beijing
O = Frp
CN = frp-server
[ v3_req ]
subjectAltName = @alt_names
[ alt_names ]
IP.1 = 47.106.206.100
EOF
# 生成服务端私钥
openssl genrsa -out frps.key 2048
# 生成服务端CSR强制包含 IP SAN
openssl req -new -sha256 -key frps.key -subj "/C=CN/ST=Beijing/L=Beijing/O=Frp/CN=frp-server" -config frps.cnf -extensions v3_req -out frps.csr
# 生成服务端证书
openssl x509 -req -days 3650 -sha256 -in frps.csr -CA frp_ca.crt -CAkey frp_ca.key -CAcreateserial -extfile frps.cnf -extensions v3_req -out frps.crt
# 生成客户端私钥
openssl genrsa -out frpc.key 2048
# 生成客户端CSR强制包含 IP SAN
openssl req -new -sha256 -key frpc.key -subj "/C=CN/ST=Beijing/L=Beijing/O=Frp/CN=frp-client" -config frpc.cnf -extensions v3_req -out frpc.csr
# 生成客户端证书
openssl x509 -req -days 3650 -sha256 -in frpc.csr -CA frp_ca.crt -CAkey frp_ca.key -CAcreateserial -extfile frpc.cnf -extensions v3_req -out frpc.crt
# 验证服务端证书是否包含服务器IP,输出结果需显示服务器IP
openssl x509 -in frps.crt -text -noout | grep -A 2 "Subject Alternative Name"
# 验证客户端证书是否包含客户端IP,输出结果需显示客户端IP
openssl x509 -in frpc.crt -text -noout | grep -A 2 "Subject Alternative Name"
```
### b.以toml格式配置文件
```sh
# 设置token身份认证
auth.method = "token"
auth.token = "frptoken"
# 在服务端添加以下配置,改为实际的证书路径
transport.tls.force = true # 强制启用双向验证
transport.tls.certFile = "/etc/frp/ssl/frps.crt"
transport.tls.keyFile = "/etc/frp/ssl/frps.key"
transport.tls.trustedCaFile = "/etc/frp/ssl/frp_ca.crt"
# 在客户端添加以下配置,改为实际的证书路径
transport.tls.enable = true
transport.tls.certFile = "/etc/frp/ssl/frpc.crt"
transport.tls.keyFile = "/etc/frp/ssl/frpc.key"
transport.tls.trustedCaFile = "/etc/frp/ssl/frp_ca.crt"
```
## 3.创建tcp代理
```sh
# 代理本机
[[proxies]]
name = "ssh-local"
type = "tcp"
localIP = "127.0.0.1"
localPort = 22
remotePort = 12322
# 代理其他主机端口
[[proxies]]
name = "dev-ssh"
type = "tcp"
localIP = "192.168.140.121"
localPort = 22
remotePort = 12323
```
## 4.配置负载均衡及健康检查
```sh
# 支持的代理类型包括tcp, http, tcpmux
# frpc.toml
[[proxies]]
name = "test1"
type = "tcp"
localPort = 8080
remotePort = 80
loadBalancer.group = "web"
loadBalancer.groupKey = "123"
[[proxies]]
name = "test2"
type = "tcp"
localPort = 8081
remotePort = 80
loadBalancer.group = "web"
loadBalancer.groupKey = "123"
# tcp健康检查
[[proxies]]
name = "test1"
type = "tcp"
localPort = 22
remotePort = 6000
# 启用健康检查,类型为 tcp
healthCheck.type = "tcp"
# 建立连接超时时间为 3 秒
healthCheck.timeoutSeconds = 3
# 连续 3 次检查失败,此 proxy 会被摘除
healthCheck.maxFailed = 3
# 每隔 10 秒进行一次健康检查
healthCheck.intervalSeconds = 10
# http健康检查
[[proxies]]
name = "web"
type = "http"
localIP = "127.0.0.1"
localPort = 80
customDomains = ["test.yourdomain.com"]
# 启用健康检查,类型为 http
healthCheck.type = "http"
# 健康检查发送 http 请求的 path后端服务需要返回 2xx 的 http 状态码
healthCheck.path = "/status"
healthCheck.timeoutSeconds = 3
healthCheck.maxFailed = 3
healthCheck.intervalSeconds = 10
```
## 5.获取用户真实IP
```sh
#目前只有 http 类型的代理或者启用了 https2http 或 https2https 插件的代理支持这一功能。可以通过 HTTP 请求 header 中的 X-Forwarded-For 来获取用户真实 IP默认启用.只要实现proxy协议的tcp后端也可以获取到
# 在客户端配置文件frpc.toml添加
transport.proxyProtocolVersion = "v2"
```
## 6.代理限速
```sh
# 在客户端配置文件frpc.toml添加
transport.bandwidthLimit = "1MB" #单位支持MB和KB
# 在服务端限速
transport.bandwidthLimitMode = "server"
```
## 7.虚拟网络(类似组网)
- 服务端配置
```sh
# 服务端配置frps.toml
featureGates = { VirtualNet = true }
serverAddr = "x.x.x.x"
serverPort = 7000
featureGates = { VirtualNet = true }
# 配置虚拟网络接口
virtualNet.address = "100.86.0.1/24"
[[proxies]]
name = "vnet-server"
type = "stcp"
secretKey = "your-secret-key"
[proxies.plugin]
type = "virtual_net"
```
- 客户端配置
```sh
# frpc.toml (客户端)
serverAddr = "x.x.x.x"
serverPort = 7000
featureGates = { VirtualNet = true }
# 配置虚拟网络接口
virtualNet.address = "100.86.0.2/24"
[[visitors]]
name = "vnet-visitor"
type = "stcp"
serverName = "vnet-server"
secretKey = "your-secret-key"
bindPort = -1
[visitors.plugin]
type = "virtual_net"
destinationIP = "100.86.0.1" # 目标虚拟 IP 地址
```
## 8.安全代理STCP
`使用 stcp(secret tcp) 类型的代理可以让您安全地将内网服务暴露给经过授权的用户,这需要访问者也部署 frpc 客户端`
- 被访问客户端配置
```sh
serverAddr = "x.x.x.x"
serverPort = 7000
[[proxies]]
name = "secret_ssh"
type = "stcp"
# 只有与此处设置的 secretKey 一致的用户才能访问此服务
secretKey = "abcdefg"
localIP = "127.0.0.1"
localPort = 22
```
- 访问者客户端配置
```sh
serverAddr = "x.x.x.x"
serverPort = 7000
[[visitors]]
name = "secret_ssh_visitor"
type = "stcp"
# 要访问的 stcp 代理的名字
serverName = "secret_ssh"
secretKey = "abcdefg"
# 绑定本地端口以访问 SSH 服务
bindAddr = "127.0.0.1"
bindPort = 6000
```
- 访问示例
```sh
ssh -o Port=6000 test@127.0.0.1
```
## 9.点对点透传(P2P)
- 被访问客户端配置
```sh
serverAddr = "x.x.x.x"
serverPort = 7000
# 如果默认的 STUN 服务器不可用,可以配置一个新的 STUN 服务器
# natHoleStunServer = "xxx"
[[proxies]]
name = "p2p_ssh"
type = "xtcp"
# 只有共享密钥 (secretKey) 与服务器端一致的用户才能访问该服务
secretKey = "abcdefg"
localIP = "127.0.0.1"
localPort = 22
```
- 访问者客户端配置
```sh
serverAddr = "x.x.x.x"
serverPort = 7000
# 如果默认的 STUN 服务器不可用,可以配置一个新的 STUN 服务器
# natHoleStunServer = "xxx"
[[visitors]]
name = "p2p_ssh_visitor"
type = "xtcp"
# 要访问的 P2P 代理的名称
serverName = "p2p_ssh"
secretKey = "abcdefg"
# 绑定本地端口以访问 SSH 服务
bindAddr = "127.0.0.1"
bindPort = 6000
# 如果需要自动保持隧道打开,将其设置为 true
# keepTunnelOpen = false
```
- 配置回滚,如果打洞失败改为stcp
```sh
[[visitors]]
name = "stcp-visitor"
type = "stcp"
serverName = "stcp-test"
secretKey = "abc"
bindPort = -1
[[visitors]]
name = "xtcp-visitor"
type = "xtcp"
serverName = "xtcp-test"
secretKey = "abc"
bindAddr = "127.0.0.1"
bindPort = 9002
fallbackTo = "stcp-visitor"
fallbackTimeoutMs = 2000 #超时时间,单位:毫秒
```
# kvm虚拟化
## KVM存储池管理
### 删除存储池
```sh
# 列出所有存储池
sudo virsh pool-list --all
# 停用存储池
sudo virsh pool-destroy <存储池名称>
# 取消存储池自动启动
sudo virsh pool-autostart --disable <存储池名称>
# 删除存储池文件
sudo virsh pool-delete <存储池名称>
# 取消存储池定义
sudo virsh pool-undefine <存储池名称>
```
### 创建存储池
```sh
# 存储池类型:本地文件系统,网络文件系统,物理磁盘设备,lvm卷组,iSCSI,预格式化的块设备
# 创建目录/data/vmfs,定义并构建一个基于本地目录的存储池,
virsh pool-define-as vmdisk --type dir --target /data/vmfs
virsh pool-build vmdisk
# 激活并设置开机自启
virsh pool-start vmdisk
virsh pool-autostart vmdisk
# 在存储池中创建磁盘卷
virsh vol-create-as vmdisk myvm-disk.qcow2 20G --format qcow2
# 使用qemu-img直接创建磁盘文件
qemu-img create -f qcow2 /var/lib/libvirt/images/myvm-disk.qcow2 20G
```
## KVM磁盘管理
```sh
# 扩容虚拟机磁盘
qemu-img resize /var/lib/libvirt/images/vm_name.qcow2 +100G
```
## KVM状态管理
```sh
# 列出虚拟机​
virsh list --all #查看所有虚拟机(包括已关闭的)
# 启动虚拟机​
virsh start <虚拟机名称> #启动指定虚拟机
# ​正常关机​
virsh shutdown <虚拟机名称> #向虚拟机发送关机信号,推荐使用
# ​强制关机​
virsh destroy <虚拟机名称> #相当于直接断电,用于虚拟机无响应时
# 重启虚拟机​
virsh reboot <虚拟机名称> #重启虚拟机
# 挂起/恢复​
virsh suspend <虚拟机名称>/ virsh resume <虚拟机名称> #暂停或恢复虚拟机运行
# 设置开机自启​
virsh autostart <虚拟机名称> #宿主机启动时,该虚拟机自动启动
# ​连接控制台​
virsh console <虚拟机名称> #连接到虚拟机的文本控制台
```
## KVM快照管理
```sh
# 创建快照​
virsh snapshot-create-as --domain <虚拟机名称> --name <快照名称> #为指定虚拟机创建快照
# ​查看快照列表​
virsh snapshot-list <虚拟机名称> #查看虚拟机的所有快照
# 恢复快照​
virsh snapshot-revert --domain <虚拟机名称> --snapshotname <快照名称> #将虚拟机状态恢复到创建快照时的状态
# 删除快照​
virsh snapshot-delete --domain <虚拟机名称> --snapshotname <快照名称>
```
## KVM网络管理
```sh
```
## KVM配置管理
```sh
# 查看虚拟机详细信息
virsh dominfo <虚拟机名称>
# 导出虚拟机xml配置
virsh dumpxml <虚拟机名称> > vm-config.xml #可用于备份或复制虚拟机配置
# ​编辑虚拟机配置
virsh edit <虚拟机名称> #这是最安全的修改配置方式它会检查XML语法
```
# caddy服务
```json
# caddyfile配置文件
# 配置重定向
cvms.cn {
redir https://www.cvms.cn{uri} permanent
}
# 配置反向代理
www.cvms.cn {
reverse_proxy http://124.71.69.197:4000
}
# 使用http协议反向代理
http://api.cvms.cn {
reverse_proxy http://localhost:45000
}
```
Reference in New Issue View Git Blame Copy Permalink