Mr.Zhang- BBR
- 传说中的BBR我相信,你在搜索各种科学上网技术的时候,肯定不止一次的听过bbr这个东西,在各种博客添油加醋之下,让人觉得它神乎其神。更有bbrplus, bbr2, 魔改bbr 等一大堆衍生品。仿佛神油一般,用了就能野鸡线路变专线。那么,这东西究竟是什么?它有没有用?又该用哪一个版本呢?
- 实际的BBR = Bottleneck Bandwidth and Round-trip propagation time,是一种TCP的拥塞控制算法。简单粗暴的理解就是数据流量的交通管理:当公路不再塞车的时候,每辆车自然就能保持较快的车速了。那么它有没有用呢?一般而言,
有BBR和没有BBR会有可以感知的差别(速度、稳定性、延迟方面都会有一些改善),所以 【非常建议开启 BBR】。但开启之后,BBR 在 4.x和5.x之间的差异往往比较微妙、见仁见智,造成体验差别的决定性因素仍然是线路质量。所以 【不必纠结版本、不必盲目追新、跟随你的发行版更新内核即可】 - bbrplus, bbr2, 魔改bbr和其他各种听起来就酷炫的版本是不是更好?一句话:不是!不要用这些!这些都为了吸引眼球乱起的名字!BBR 的更新和发布,都是跟随Linux的内核(
Kernel)进行的。换言之,只要你用的是比较新的内核,就自然会使用到新版BBR。而这些名字看起来很酷炫的东西,说白了就是仍未正式发布的、尚在测试阶段的内核及其对应的BBR版本。这些脚本也仅仅就是通过下载预览版的内核(甚至第三方魔改内核)来率先开启而已。内核的稳定是一台服务器稳定运行的基石。【BBR测试版带来的细微性能差异绝对不值得更换不稳定的内核。】 请选择你所在的Linux发行版所支持的最新内核,这样可以最大限度的保持服务器的长期稳定和兼容。 -
其实CentOS8启用BBR非常简单,只需要简单几行代码就能启用,命令如下:
echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf sysctl -p - fq, fq_codel, fq_pie, cake和其他算法哪个好?一句话:看不懂的话,请保持fq,足够、且不会劣化你的线路安装elrepo并升级内核
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm yum --enablerepo=elrepo-kernel install kernel-ml -y
如果安装成功的话,输入”rpm -qa|grep kernel”您应该会看到 kernel-ml-* 出现在结果列表中:
kernel-ml-4.9.0-1.el7.elrepo.x86_64 kernel-3.10.0-514.el7.x86_64 kernel-3.10.0-514.2.2.el7.x86_64
现在您需要通过设置默认 grub2 引导来启用 4.9.0+ 内核。
查看所有 grub2 列表egrep ^menuentry /etc/grub2.cfg | cut -f 2 -d \' //or awk -F\' '$1=="menuentry " {print i++ " : " $2}' /etc/grub2.cfg结果应该是这样的:
CentOS Linux (5.12.10-1.el7.elrepo.x86_64) 7 (Core) CentOS Linux (3.10.0-1160.31.1.el7.x86_64) 7 (Core) CentOS Linux (3.10.0-1062.1.1.el7.x86_64) 7 (Core) CentOS Linux (0-rescue-96820b9851c24560b5f942f2496b9aeb) 7 (Core);
索引开始于 0。这意味着系统 5.12 位于”0″
grub2-set-default 0
设置bbr算法为fq:
vi /etc/sysctl.conf
添加如下内容:
net.core.default_qdisc = fq net.ipv4.tcp_congestion_control = bbr net.ipv6.conf.all.disable_ipv6 = 1 //禁用ipv6
- 加载系统参数sysctl -p验证bbr是否已经开启,输入”sysctl net.ipv4.tcp_available_congestion_control”
如果返回:net.ipv4.tcp_available_congestion_control = reno cubic bbr
则安装成功
输入lsmod | grep bbr如果返回tcp_bbr 20480 2
则安装成功
- Xray
- Xray资料
说明文档 https://xtls.github.io/
代码位置 https://github.com/XTLS/Xray-core
V2rayNG https://github.com/2dust/v2rayNG/releases
一键脚本Xray https://github.com/wulabing/Xray_onekey
一键脚本V2ray https://github.com/wulabing/V2Ray_ws-tls_bash_onekey - Xray文件位置
/usr/local/etc/xray/config.json Xray程序设置 《Xray服务器篇》
/etc/ssl/xray/cert.pem TLS证书 《Xray服务器篇》
/etc/ssl/xray/privkey.key TLS私钥 《Xray服务器篇》
installed: /etc/systemd/system/xray.service
installed: /etc/systemd/system/xray@.service
installed: /usr/local/bin/xray
installed: /usr/local/etc/xray/*.json
installed: /usr/local/share/xray/geoip.dat
installed: /usr/local/share/xray/geosite.dat
installed: /var/log/xray/access.log
installed: /var/log/xray/error.log - Xray服务器配置
{ "log": { "access": "/var/log/xray/access.log", "error": "/var/log/xray/error.log", "loglevel": "warning" }, "inbounds": [ { "port": 443, "protocol": "vless", "settings": { "clients": [ { "id": "*", "flow": "xtls-rprx-direct" } ], "decryption": "none", "fallbacks": [ { "dest": 60000, "alpn": "", "xver": 1 }, { "dest": 60001, "alpn": "h2", "xver": 1 } ] }, "streamSettings": { "network": "tcp", "security": "xtls", "xtlsSettings": { "minVersion": "1.2", "certificates": [ { "certificateFile": "/etc/ssl/xray/cert.pem", "keyFile": "/etc/ssl/xray/privkey.key" } ] } } } ], "outbounds": [ { "protocol": "freedom" } ] } - 申请泛证书
腾讯DNSPod https://console.dnspod.cn/ 获得ID与Keycurl https://get.acme.sh | sh source ~/.bashrc //dnspod export DP_Id="*" export DP_Key="*" //cloudflare export CF_Key="*" export CF_Email="*" acme.sh --register-account -m *@gmail.com acme.sh --issue --dns dns_dp -d qdhiker.com -d *.qdhiker.com acme.sh --issue --dns dns_cf -d qdhiker.com -d *.qdhiker.com acme.sh --install-cert -d qdhiker.com --fullchain-file /etc/ssl/xray/cert.pem --key-file /etc/ssl/xray/privkey.key 下面是自动更新脚本 #!/bin/bash systemctl stop nginx xray /root/.acme.sh/acme.sh --issue --dns dns_dp -d qdhiker.com -d *.qdhiker.com /root/.acme.sh/acme.sh --install-cert -d qdhiker.com --fullchain-file /etc/ssl/xray/cert.pem --key-file /etc/ssl/xray/privkey.key systemctl start nginx xray
- Nginx配置 Xray做为前端分流 启动fpm解析器:systemctl enable php-fpm
# Upstream to abstract backend connection(s) for php upstream php { # server unix:/tmp/php-cgi.socket; server 127.0.0.1:9000; } server { listen 80; server_name qdhiker.com; return 301 https://$http_host$request_uri; access_log /dev/null; error_log /dev/null; } server { # set_real_ip_from 127.0.0.1; # real_ip_header proxy_protocol; listen 127.0.0.1:60000 proxy_protocol; listen 127.0.0.1:60001 http2 proxy_protocol; server_name localhost; root /var/www/wordpress; index index.php; gzip on; gzip_vary on; gzip_comp_level 4; gzip_min_length 256; gzip_proxied any; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # indicate locations of SSL key files. # ssl_certificate /etc/ssl/xray/cert.pem; # ssl_certificate_key /etc/ssl/xray/privkey.key; # Enable HSTS. This forces SSL on clients that respect it, most modern browsers. The includeSubDomains flag is optional. add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { allow all; log_not_found off; access_log off; } location / { # This is cool because no php is touched for static content. # include the "?$args" part so non-default permalinks doesn't break when using query string try_files $uri $uri/ /index.php?$args; } location ~ \.php$ { #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini include fastcgi_params; fastcgi_intercept_errors on; fastcgi_pass php; #if no follwing set web is wrong fastcgi_param HTTPS on; #The following parameter can be also included in fastcgi_params file fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { expires max; log_not_found off; } # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) location ~ /\. { deny all; } # Deny access to any files with a .php extension in the uploads directory # Works in sub-directory installs and also in multisite network # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) location ~* /(?:uploads|files)/.*\.php$ { deny all; } } - Nginx 的NextCloud服务器配置 参考连接:
upstream php-handler { server 127.0.0.1:9000; #server unix:/var/run/php/php7.4-fpm.sock; } server { listen 127.0.0.1:60002 proxy_protocol; listen 127.0.0.1:60003 http2 proxy_protocol; server_name nc.qdhiker.com; # HSTS settings # WARNING: Only add the preload option once you read about # the consequences in https://hstspreload.org/. This option # will add the domain to a hardcoded list that is shipped # in all major browsers and getting removed from this list # could take several months. #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; # set max upload size client_max_body_size 512M; fastcgi_buffers 64 4K; # Enable gzip but do not remove ETag headers gzip on; gzip_vary on; gzip_comp_level 4; gzip_min_length 256; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # Pagespeed is not supported by Nextcloud, so if your server is built # with the `ngx_pagespeed` module, uncomment this line to disable it. #pagespeed off; # HTTP response headers borrowed from Nextcloud `.htaccess` add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options "noopen" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "none" always; add_header X-XSS-Protection "1; mode=block" always; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; # Path to the root of your installation root /var/www/nextcloud; # Specify how to handle directories -- specifying `/index.php$request_uri` # here as the fallback means that Nginx always exhibits the desired behaviour # when a client requests a path that corresponds to a directory that exists # on the server. In particular, if that directory contains an index.php file, # that file is correctly served; if it doesn't, then the request is passed to # the front-end controller. This consistent behaviour means that we don't need # to specify custom rules for certain paths (e.g. images and other assets, # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus # `try_files $uri $uri/ /index.php$request_uri` # always provides the desired behaviour. index index.php index.html /index.php$request_uri; # Rule borrowed from `.htaccess` to handle Microsoft DAV clients location = / { if ( $http_user_agent ~ ^DavClnt ) { return 302 /remote.php/webdav/$is_args$args; } } location = /robots.txt { allow all; log_not_found off; access_log off; } # Make a regex exception for `/.well-known` so that clients can still # access it despite the existence of the regex rule # `location ~ /(\.|autotest|...)` which would otherwise handle requests # for `/.well-known`. location ^~ /.well-known { # The rules in this block are an adaptation of the rules # in `.htaccess` that concern `/.well-known`. location = /.well-known/carddav { return 301 /remote.php/dav/; } location = /.well-known/caldav { return 301 /remote.php/dav/; } location /.well-known/acme-challenge { try_files $uri $uri/ =404; } location /.well-known/pki-validation { try_files $uri $uri/ =404; } # Let Nextcloud's API for `/.well-known` URIs handle all other # requests by passing them to the front-end controller. return 301 /index.php$request_uri; } # Rules borrowed from `.htaccess` to hide certain paths from clients location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } # Ensure this block, which passes PHP files to the PHP process, is above the blocks # which handle static assets (as seen below). If this block is not declared first, # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` # to the URI, resulting in a HTTP 500 error response. location ~ \.php(?:$|/) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; set $path_info $fastcgi_path_info; try_files $fastcgi_script_name =404; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $path_info; fastcgi_param HTTPS on; fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice fastcgi_param front_controller_active true; # Enable pretty urls fastcgi_pass php-handler; fastcgi_intercept_errors on; fastcgi_request_buffering off; } location ~ \.(?:css|js|svg|gif)$ { try_files $uri /index.php$request_uri; expires 6M; # Cache-Control policy borrowed from `.htaccess` access_log off; # Optional: Don't log access to assets } location ~ \.woff2?$ { try_files $uri /index.php$request_uri; expires 7d; # Cache-Control policy borrowed from `.htaccess` access_log off; # Optional: Don't log access to assets } # Rule borrowed from `.htaccess` location /remote { return 301 /remote.php$request_uri; } location / { try_files $uri $uri/ /index.php$request_uri; } }
- 常用工具安装
yum install iptables-services wget vim lrzsz git lsof unzip curl net-tools epel-release
yum groupinstall "GNOME Desktop"
yum install tigervnc-server
cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@:1.service
//修改user
$su - your_user # If you want to configure VNC server to run under this user directly from CLI without switching users from GUI
$ vncpasswd
vi /etc/systemd/system/vncserver@\:1.service
# systemctl daemon-reload
# systemctl start vncserver@:1
# systemctl status vncserver@:1
# systemctl enable vncserver@:1
