wget --no-check-certificate -O shadowsocks.sh https://raw.githubusercontent.com/teddysun/shadowsocks_install/master/shadowsocks.sh
chmod +x shadowsocks.sh
./shadowsocks.sh 2>&1 | tee shadowsocks.log
完成后这这样
Congratulations, Shadowsocks-python server install completed!
Your Server IP :your_server_ip
Your Server Port :your_server_port
Your Password :your_password
Your Encryption Method:your_encryption_method
Welcome to visit:https://teddysun.com/342.html
Enjoy it!
然后用 vi /etc/shadowsocks.json 把里面的配置修改
启动:/etc/init.d/shadowsocks start
停止:/etc/init.d/shadowsocks stop
重启:/etc/init.d/shadowsocks restart
状态:/etc/init.d/shadowsocks status
建立Let's encrypt
sudo yum install epel-release
sudo yum install httpd mod_ssl python-certbot-apache
sudo systemctl start httpd
sudo firewall-cmd --add-service=http
sudo firewall-cmd --add-service=https
sudo firewall-cmd --runtime-to-permanent
sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
然后建立证书比如要建立一个二级域名sub.example.com
sudo certbot --apache -d sub.example.com
如无意外会出现如下
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/example.com/fullchain.pem. Your cert
will expire on 2016-04-21. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
- If you lose your account credentials, you can recover through
e-mails sent to user@example.com.
- Your account credentials have been saved in your Let's Encrypt
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let's
Encrypt so making regular backups of this folder is ideal.
- If you like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
这时证书会在 /etc/letsencrypt/live
如果出错了要这个命令
certbot --authenticator webroot --installer apache
再测试
sudo apachectl configtest
再重启
sudo systemctl restart httpd
这时相信你可以访问你的https网站
这时要设置自动更新你的证书
sudo certbot renew
再用定时做个自动更新证书
sudo crontab -e
进入后输入这个命令行
30 2 * * * /usr/bin/certbot renew >> /var/log/le-renew.log
好了,然后再做个ikev2服务器
yum install strongswan
systemctl enable strongswan
systemctl start strongswan
先确认 /etc/letsencrypt/live/mydomain.com/ 下面有你的证书文件
fullchain.pem,privkey.pem,chain.pem
然后用这几个命令,注意,下面的mydomain.com改成你自己的域名
ln -s /etc/letsencrypt/live/mydomain.com/fullchain.pem /etc/strongswan/ipsec.d/certs/fullchain.pem
ln -s /etc/letsencrypt/live/mydomain.com/privkey.pem /etc/strongswan/ipsec.d/private/privkey.pem
ln -s /etc/letsencrypt/live/mydomain.com/chain.pem /etc/strongswan/ipsec.d/cacerts/chain.pem
修改/etc/strongswan/ipsec.conf,注意下面 leftid=server.mydomain.com 要改成自己的域名
config setup
uniqueids=no charon
debug = ike 3, cfg 3
conn %default
dpdaction=clear
dpddelay=35s
dpdtimeout=2000s
keyexchange=ikev2
auto=add
rekey=no
reauth=no
fragmentation=yes
compress=yes
### left - local (server) side
# filename of certificate chain located in /etc/strongswan/ipsec.d/certs/
leftcert=fullchain.pem
leftsendcert=always
leftsubnet=0.0.0.0/0,::/0
### right - remote (client) side
eap_identity=%identity
rightsourceip=10.1.1.0/24,2a00:1450:400c:c05::/112
rightdns=8.8.8.8,2001:4860:4860::8888
conn ikev2-mschapv2
rightauth=eap-mschapv2
conn ikev2-mschapv2-apple
rightauth=eap-mschapv2 leftid=server.mydomain.com
然后再改 /etc/strongswan/ipsec.secrets 根据自己改自己用户名和密码改下面的yonghuaming : EAP "mima"
# filename of private key located in /etc/strongswan/ipsec.d/private/
: RSA privkey.pem
# syntax is `username : EAP "plaintextpassword"`
yonghuaming : EAP "mima"
然后开启防火墙
firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="esp" accept’
firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="ah" accept'
firewall-cmd --zone=public --permanent --add-port=500/udp
firewall-cmd --zone=public --permanent --add-port=4500/udp
firewall-cmd --zone=public --permanent --add-service="ipsec"
firewall-cmd --zone=public --permanent --add-masquerade
firewall-cmd --reload
保存设置
firewall-cmd --list-all
再加些东西到 /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
然后使它生效
sysctl -p
全部完成了!
手机扫一扫
移动阅读更方便
你可能感兴趣的文章