前言：

3 月份買的騰訊云的這臺 VPS，剛發現現在退款，只能返回?0 元。測試應用已經遷移到JD，清除內容太麻煩，重裝更簡單。

因為配合政策，國內的云主機都有兩個 IP 地址，一個內網，一個外網，中心有防火墻來監控數據安全。各個云供應商，也會有自己的預安裝的服務，用來監控主機以配合ZF的監控制度。

環境：

OS：Ubuntu?24

主機：公/私網各一個IP

防火墻：云提供

FQDN: bjt.daven.us

配置過程：

1.更換 apt 源

# 備份當前的
rm /etc/apt/sources.list.d/ubuntu.sources# 替換tee /etc/apt/sources.list.d/ubuntu.sources > /dev/null <<EOF
Types: deb
URIs: https://mirrors.tuna.tsinghua.edu.cn/ubuntu/
Suites: noble noble-updates noble-backports
Components: main restricted universe multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpgTypes: deb
URIs: https://mirrors.tuna.tsinghua.edu.cn/ubuntu/
Suites: noble-security
Components: main restricted universe multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
EOF# 清緩存
rm -rf /var/lib/apt/lists/*
rm -rf /var/lib/swcatalog/yaml/*# 更新列表
apt update

2.清理無用的預安裝軟件

apt remove --purge qcloud-*
rm -rf /usr/local/qcloud/
apt remove --purge modemmanager
apt remove --purge udisks2
apt remove --purge policykit-1
apt remove --purge multipath-tools
systemctl disable networkd-dispatcher
apt remove --purge networkd-dispatcher
systemctl disable unattended-upgrades
apt remove --purge unattended-upgrades
systemctl disable fwupd.service
systemctl disable packagekit.service
systemctl disable polkit.service
systemctl disable upower.service
apt remove --purge fwupd packagekit policykit-1 upower
sudo apt autoremove
sudo apt autoclean

騰訊云部分

sudo rm -f /etc/cron.d/yunjing
sudo rm -f /var/lib/apt/lists/mirrors.tencentyun.com_*
sudo rm -f /var/lib/swcatalog/yaml/mirrors.tencentyun.com_*

3.添加主機名

vi /etc/hostname

bjt

vi /etc/hosts

127.0.1.1 bjt.daven.us bjt
127.0.0.1 localhost bjt

::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
?

4.升級軟件包，OS

apt update
apt upgrade
apt purge

apt install update-manager-core
sudo do-release-upgrade

5.SSH 配置

vi /etc/ssh/sshd_config

Port 9922
Protocol 2
AddressFamily any
?
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
?
SyslogFacility AUTH
LogLevel INFO
?
PermitRootLogin yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
?
X11Forwarding no
PrintMotd no
ClientAliveInterval 300
ClientAliveCountMax 2
MaxAuthTries 3
MaxSessions 3
?
PermitUserEnvironment no
StrictModes yes
IgnoreRhosts yes
HostbasedAuthentication no
?
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
?
AcceptEnv LANG LC_*
?
Subsystem sftp /usr/lib/openssh/sftp-server

systemctl daemon-reload
systemctl restart ssh

6. 替換主機密鑰 Host Keys

rm /etc/ssh/ssh_host_*_key*ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key
ssh-keygen -t ecdsa -b 521 -f /etc/ssh/ssh_host_ecdsa_key
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key
ssh-keygen -t dsa -b 1024 -f /etc/ssh/ssh_host_dsa_keyll /etc/ssh/

7.設置主機時區

timedatectl set-timezone Asia/Shanghai

重啟主機，注意 SSH: 22 -> 9922

8. ACMC 申請 SSL

1) 安裝 nignx

apt install nginx git uuid-runtime

2) ACMC 獲取 SSL

git clone https://gitee.com/neilpang/acme.sh.git
cd acme.sh
source ~/.bashrc
~/.acme.sh/acme.sh --register-account -m dave@daven.us
~/.acme.sh/acme.sh --set-default-ca --server letsencrypt
# 已經存在
#~/.acme.sh/acme.sh --renew -d bjt.daven.us --yes-I-know-dns-manual-mode-enough-go-ahead-please
# 新域名
~/.acme.sh/acme.sh --issue -d bjt.daven.us --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please

修改 TXT 記錄，再運行上面命令 并添加 --renew

~/.acme.sh/acme.sh --issue -d bjt.daven.us --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please --renew

9.配置 nginx 來使用 SSL

vi /etc/nginx/sites-available/bjt.daven.us

server {
? ? listen 7033 ssl http2;
? ? listen [::]:7033 ssl http2;
? ? server_name bjt.daven.us;

? ? # 更新為acme.sh安裝的證書路徑
? ? ssl_certificate /etc/letsencrypt/cert/bjt.daven.us/fullchain.pem;
? ? ssl_certificate_key /etc/letsencrypt/cert/bjt.daven.us/privkey.pem;

? ? # 添加SSL安全配置
? ? ssl_protocols TLSv1.2 TLSv1.3;
? ? ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;
? ? ssl_prefer_server_ciphers off;
? ? ssl_session_cache shared:SSL:10m;
? ? ssl_session_timeout 10m;

? ? location /ray {
? ? ? ? proxy_redirect off;
? ? ? ? proxy_pass http://127.0.0.1:10000;
? ? ? ? proxy_http_version 1.1;
? ? ? ? proxy_set_header Upgrade $http_upgrade;
? ? ? ? proxy_set_header Connection "upgrade";
? ? ? ? proxy_set_header Host $host;
? ? ? ? proxy_set_header X-Real-IP $remote_addr;
? ? ? ? proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
? ? }
}

# 可選：如果需要HTTP重定向到HTTPS
#server {
# ? ?listen 80;
# ? ?listen [::]:80;
# ? ?server_name bjt.daven.us;
# ? ?return 301 https://$host:6033$request_uri;
#}

10. ufw 配置

systemctl enable ufw
sudo ufw enable
ufw allow 9922/tcp
ufw allow 9017/udp
ufw allow 443/tcp
ufw allow 80/tcp
ufw allow 9090/tcp
ufw allow 7033/tcp

vi /etc/default/ufw

# 找到，并把 DROP 改為 ACCEPT
DEFAULT_FORWARD_POLICY="ACCEPT"

sudo ufw reload