ddatsh vps note

ddatsh vps note

域名

NameSilo

dnssec

1

dig @8.8.8.8 +dnssec ddatsh.com

返回值有RRSIG,则配置成功

解析

dnspod 用了多年

现用 cloudflare

主机

放个博客,挂几个小服务,乞丐版配置就够用

早期FQ搬瓦工,后来直接用机场,国内VPS

腾讯云、阿里云

1
2
3

useradd -d /data data

yum install htop dstat telnet ncdu git

证书

let’s encrypt

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

curl https://get.acme.sh | sh

export CF_Key="" 
export CF_Email=""

acme.sh --register-account -m i@ddatsh.com
acme.sh --issue --dns dns_cf -d *.ddatsh.com -d ddatsh.com --force
acme.sh --issue --dns dns_cf -d *.ddatsh.com -d ddatsh.com --keylength ec-384 --force
  
acme.sh --installcert --ecc -d *.ddatsh.com --key-file /etc/nginx/conf.d/ssl/ddatsh.com.ecc.key --fullchain-file /etc/nginx/conf.d/ssl/ddatsh.com.ecc.cer --reloadcmd "/usr/sbin/nginx -s reload"

acme.sh --installcert -d *.ddatsh.com --key-file /etc/nginx/conf.d/ssl/ddatsh.com.rsa.key --fullchain-file /etc/nginx/conf.d/ssl/ddatsh.com.rsa.cer --reloadcmd "/usr/sbin/nginx -s reload"

邮件

腾讯企业邮箱

nginx

1
2
3
4
5
6
7
8
9

cat >> /etc/yum.repos.d/nginx.repo <<EOF
[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
EOF

1
2
3
4
5
6
7

server {
  resolver 8.8.8.8 8.8.4.4 223.5.5.5 valid=300s;
  resolver_timeout 5s;
  ssl_stapling on;
  ssl_stapling_verify on;
  ...
}

ocsp.int-x3.letsencrypt.org国内DNS 污染,修改 resolver 8.8.8.8 否则 nginx error.log

1

[warn] 10739#10739: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/etc/nginx/conf.d/ssl/ddatsh.com.ecc.cer"

验证

1

openssl s_client -connect ddatsh.com:443 -servername ddatsh.com -status -tlsextdebug < /dev/null 2>&1 | grep -i "OCSP response"

成功响应

1
2
3
4

OCSP response: 
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response

失败

1

OCSP response: no response sent

多执行几次, nginx 并不是马上就去获取 OCSP Response, 而是当网站被访问之后异步获取, 所以可能前几次请求不会有 OCSP Response

部署

webhook

https://github.com/adnanh/webhook

/data/webhooks.json

1
2
3
4
5
6

[
  {
    "id": "www",
    "execute-command": "/data/www.sh",
  }
]
categories: dev tags: vps