标签归档:CentOS

为Oracle Cloud申请的免费VPS CentOS 7 系统升级内核并开启官方原版BBR加速

Oracle 云申请的CentOS 7 系统,自带3.1内核,且为EFI引导,并默认开启SELinux,升级内核开启BBR易出现错误导致无法开机。开启原版BBR需要4.9以上内核,以下内容记录升级内核并开启BBR的过程。

更新系统

sudo yum update -y

查看内核

uname -r

3.10.0-1062.1.1.el7.x86_64

改SELinux为permissive模式

查看SELinux状态,默认开启:

sestatus

将enforcing改为permissive,如下:

sudo vi /etc/sysconfig/selinux

SELINUX=permissive

重启vps:

sudo reboot

开启elrepo源

sudo rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org

sudo yum install https://www.elrepo.org/elrepo-release-7.0-4.el7.elrepo.noarch.rpm

查看可安装内核

yum --disablerepo="*" --enablerepo="elrepo-kernel" list available

安装内核

sudo yum --enablerepo=elrepo-kernel install kernel-ml

查看新内核是否安装成功

rpm -qa | grep kernel

更新引导

这是一个容易出错的地方,以前碰到的启动配置文件,大多是在/boot/grub2/grub.cfg,而该系统为EFI引导,配置文件位置不同。

sudo grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg

列出系统开机的所有启动项

sudo awk -F\' '$1=="menuentry " {print i++ " : " $2}' /boot/efi/EFI/centos/grub.cfg

设置默认启动项

sudo grub2-set-default 0

重启VPS

sudo reboot

查看内核

uname -r
5.3.1-1.el7.elrepo.x86_64

开启bbr(直接抄袭大佬的全部内容)

执行 lsmod | grep bbr,如果结果中没有 tcp_bbr 的话就先执行:

sudo modprobe tcp_bbr
echo "tcp_bbr" | sudo tee --append /etc/modules-load.d/modules.conf

执行

echo "net.core.default_qdisc=fq" | sudo tee --append /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" | sudo tee --append /etc/sysctl.conf

保存生效

sudo sysctl -p

执行

sysctl net.ipv4.tcp_available_congestion_control
sysctl net.ipv4.tcp_congestion_control

如果结果都有 bbr,则证明你的内核已开启 BBR。

执行 lsmod | grep bbr,看到有 tcp_bbr 模块即说明 BBR 已启动。

重新开启SELinux

检查有无SELinux相关错误:

sudo cat /var/log/messages | grep "SELinux is preventing"

确保无错误后,再启用SELinux Enforcing 模式

sudo vi /etc/sysconfig/selinux

将permissive改回enforcing,如下修改:

SELINUX=enforcing

重启VPS

sudo reboot

为caddy启用tls 1.3

更新日志

20190918

在20190305的更新中,caddy默认支持了tls 1.3,因此以下内容已过时从官网或者github下载使用即可。

nginx启用tls1.3已多时,这里记录下在caddy中启用tls1.3的过程。

安装依赖:

sudo yum -y install docker
service docker start

下载源码:

cd ~
git clone https://github.com/cloudflare/tls-tris.git
go get github.com/mholt/caddy
go get github.com/caddyserver/builds

编译go,使之支持tls1.3:

cd tls-tris; cp _dev/utils/pre-commit .git/hooks/
sudo make -f _dev/Makefile build-all

编译成功,运行如下命令确认:

GOROOT=”/home/$USER/tls-tris/_dev/GOROOT/linux_amd64/” go version
-> go version go1.11.1 linux/amd64

下载并应用caddy补丁:

cd $GOPATH/src/github.com/mholt/caddy
wget https://www.hnrk.io/md/caddy.patch
patch -p1 < caddy.patch

编译caddy:

cd $GOPATH/src/github.com/mholt/caddy/caddy
GOROOT=”/home/$USER/tls-tris/_dev/GOROOT/linux_amd64/” go run build.go

编译成功的caddy在当前目录下。直接替换原caddy后运行即已支持tls 1.3。

为网站开启QUIC的几点注意事项

QUIC的文章比较多了,但是开启起来仍然是件困扰人的事。本文简要记录一下为网站开启QUIC的几点注意事项。

一 QUIC对比现有HTTP2的主要优势:

  • 显著减少连接建立时间
  • 改进的拥塞控制
  • 无对头阻塞的多路复用
  • 前向纠错
  • 连接迁移

二 开启QUIC的注意事项主要有以下几点:

Caddy的13f9c34已经支持QUIC 44、43、39,运行参数中加入-quic

编译caddy时,需要为主分支的quic-go打一个补丁:
cd $GOPATH/src/github.com/mholt/caddy/vendor/github.com/lucas-clemente/quic-go/

vi quic.patch

quic.pathch的内容如下:

From 20719a7c50c1f97ff0f2272010cda5710794c1d0 Mon Sep 17 00:00:00 2001
From: Marten Seemann <martenseemann@gmail.com>
Date: Thu, 29 Nov 2018 20:33:02 +0700
Subject: [PATCH] use the original tls.Config if tls.Config.GetConfigForClient
 returns nil

---
 internal/crypto/cert_chain.go      | 15 ++++++++++-----
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/internal/crypto/cert_chain.go b/internal/crypto/cert_chain.go
index 0c728fd25..45af2952d 100644
--- a/internal/crypto/cert_chain.go
+++ b/internal/crypto/cert_chain.go
@@ -56,8 +56,7 @@ func (c *certChain) GetLeafCert(sni string) ([]byte, error) {
 }
 
 func (c *certChain) getCertForSNI(sni string) (*tls.Certificate, error) {
-	conf := c.config
-	conf, err := maybeGetConfigForClient(conf, sni)
+	conf, err := maybeGetConfigForClient(c.config, sni)
 	if err != nil {
 		return nil, err
 	}
@@ -107,7 +106,13 @@ func maybeGetConfigForClient(c *tls.Config, sni string) (*tls.Config, error) {
 	if c.GetConfigForClient == nil {
 		return c, nil
 	}
-	return c.GetConfigForClient(&tls.ClientHelloInfo{
-		ServerName: sni,
-	})
+	confForClient, err := c.GetConfigForClient(&tls.ClientHelloInfo{ServerName: sni})
+	if err != nil {
+		return nil, err
+	}
+	// if GetConfigForClient returns nil, use the original config
+	if confForClient == nil {
+		return c, nil
+	}
+	return confForClient, nil
 }

patch -p1 < quic.patch

之后再进入caddy目录进行下一步的编译:

cd $GOPATH/src/github.com/mholt/caddy

请升级到目前的最新版 1.11。

  • 在防火墙中为443端口开启udp

          Firewalld:

sudo firewall-cmd --zone=public --add-port=443/udp --permanent

          iptables:

sudo iptables -A INPUT -p udp --dport 443 -j ACCEPT
  • 将Chrome升级到最新版

在chrome://flags/#enable-quic中启用QUIC支持。

三 一个查看QUIC支持情况的命令

curl -I https://www.coldawn.com we get
HTTP/1.1 200 OK
Alt-Svc: quic=":443"; ma=2592000; v="44,43,39"
Cache-Control: max-age=8640000
Content-Type: text/html; charset=UTF-8
Link: <https://www.coldawn.com/wp-json/>; rel="https://api.w.org/"
Server: Caddy
Strict-Transport-Security: max-age=31536000;
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Powered-By: PHP/7.2.10
X-Xss-Protection: 1; mode=block
Date: Fri, 28 Sep 2018 04:29:41 GMT

CentOS 7 上使用Certbot申请通配符证书(ACMEv2 Wildcard Certificates)

通配符证书(泛域名证书)对于小博客来说,毫无用处,但是要赶个时髦。本文记录下申请RSA和ECDSA通配符证书的过程。

1 安装Certbot

签署通配符证书需要Certbot 0.22以上。如果以前安装过certbot,一般是直接yum update即可。如果是全新安装,则如下:
先升级:

yum update -y

查看系统版本:

cat  /etc/centos-release CentOS Linux release 7.4.1708 (Core)

安装epel源:

yum install epel-release -y

安装certbot:

yum install certbot -y

查看certbot版本:

certbot --version certbot 0.22.0

2 申请RSA通配符证书的过程

2.1 用如下命令申请证书

co1dawn.com和*.co1dawn.com换成自己的域名;执行该命令时不依赖nginx。

certbot -d co1dawn.com -d *.co1dawn.com --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory certonly --agree-tos

输入应急邮箱,证书到期前会有邮件提示:

Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):

如果想跳过输入邮箱的步骤,可在申请命令后面加上:

--register-unsafely-without-email

之后出现如下提示:要公开记录申请该证书的IP地址,是否同意?不同意就无法继续。

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: y

同意之后,出现如下提示,第一个“Press Enter to Continue”处直接回车,第二个“Press Enter to Continue”不要按回车:

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.co1dawn.com with the following value:

iLS0NjcdP3RR1KphB6xbbVnKS_NS2uMW-xdDRzz85OM

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue             #此处直接回车

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.co1dawn.com with the following value:

f3V7aw5GPm5yzNsJFanQQaUFMyVQcqriUe3UjIDUHn0

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue             #此处不要按回车
2.2 为DNS解析增加TXT记录

进入自己域名的DNS记录管理页面,增加两条TXT记录,多数情况下,仅需在域名(Name)处填入_acme-challenge,在内容(Target)处填入上一步Certbot生成的内容即可,不同DNS提供商处可能会略有不同,根据实际情况修改:

    Name                                     Target
_acme-challenge             iLS0NjcdP3RR1KphB6xbbVnKS_NS2uMW-xdDRzz85OM
_acme-challenge             f3V7aw5GPm5yzNsJFanQQaUFMyVQcqriUe3UjIDUHn0

稍等片刻,等TXT记录解析生效。查看是否生效的命令和生效后的查询结果如下:

host -t txt _acme-challenge.co1dawn.com
_acme-challenge.co1dawn.com descriptive text "iLS0NjcdP3RR1KphB6xbbVnKS_NS2uMW-xdDRzz85OM" 
_acme-challenge.co1dawn.com descriptive text "f3V7aw5GPm5yzNsJFanQQaUFMyVQcqriUe3UjIDUHn0"
2.3 继续申请证书

当第2.2步查看TXT记录解析成功后,回到申请证书的第2.1步处,直接回车,等待:

Waiting for verification...
Resetting dropped connection: acme-v02.api.letsencrypt.org
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/co1dawn.com-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/co1dawn.com-0001/privkey.pem
   Your cert will expire on 2018-06-14. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

这表示已成功生成新的证书和密钥,修改nginx的配置文件定位新证书和密钥的位置后重启nginx即可。

3 申请ECDSA通配符证书

3.1 首先是生成支持通配符证书的请求文件

步骤请参考这篇文章:使用Let’s Encrypt的Certbot为ngxin生成ECDSA证书,以下内容中的文件名基本和这篇文章相同。
生成ECDSA私钥:

openssl ecparam -genkey -name secp384r1 > ec.key

生成通配符证书的请求文件的命令需要改为:

openssl req -new -sha384 -key ec.key -subj "/CN=co1dawn.com" -reqexts SAN -config <(cat /usr/local/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:co1dawn.com,DNS:*.co1dawn.com")) -outform der -out ec-der.csr

ec.key 是自己生成的私钥
co1dawn.com 改成自己的域名
ec-der.csr 支持通配符证书的请求文件,假设放到/usr/local/src下,下面会用到

3.2 申请通配符证书

步骤和申请默认的RSA通配符证书基本一致,而且TXT记录相同,无需再次添加了。

certbot -d co1dawn.com -d *.co1dawn.com --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory certonly --csr "/usr/local/src/ec-der.csr"

之后一路回车即可。

CentOS 7 编译安装nginx并启用TLS1.3

暂时转向caddy,caddy已经可以支持tls v1.3

更新日志

20180708
OpenSSL于2018年6月8日更新了关于tls 1.3的说明,见此wiki,本文按新wiki修改更新;
主要变化有:OpenSSL目前同时支持“draft-26”, "draft-27" and "draft-28"草案;简化流程,编译时默认开启tls 1.3,无需enable参数;加密算法表达的更新;
Chrome canary 69.0.3484.0 和 Firefox Nightly 63.0a1支持tls1.3 Draft 28。
20180411
Firefox Nightly 61.0a1支持tls1.3 Draft 26。
20180404
IESG批准将TLS 1.3 Draft 28作为TLS version 1.3 的建议标准;
至20180404,Openssl支持的标准为Draft 26。
20180312
Chrome 65正式版已经发布,支持tls1.3 Draft 23。
20180207
修正部分错误。
如果TLSv1.3如期发布,OpenSSL 1.1.1 将于2018年4月17日面向公众发布。对于服务器来说,我还是喜欢CentOS,支持周期很长,折腾一次可以用很长世间,因此以下记录一下在基于LNMP的CentOS 7 系统上启用TLSv1.3的过程。

1 升级系统

yum update

升级后的系统版本为:

cat /etc/centos-release CentOS Linux release 7.5.1804 (Core)

2 安装官方mainline版的nginx

通过官方源安装nginx的目的是:
自动生成nginx的配置文件,减少大量的工作;
获取nginx的编译参数。

配置源:

vi /etc/yum.repos.d/nginx.repo

写入如下内容:

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/mainline/centos/7/$basearch/
gpgcheck=0
enabled=1

安装nginx:

yum install nginx -y

查看nginx版本:

nginx -v nginx version: nginx/1.15.1

获取编译参数:

nginx -V nginx version: nginx/1.15.1 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'

修改nginx源,将enabled=1改为enabled=0,防止yum update时nginx被更新掉

vi /etc/yum.repos.d/nginx.repo [nginx] name=nginx repo baseurl=http://nginx.org/packages/mainline/centos/7/$basearch/ gpgcheck=0 enabled=0

3 编译nginx

安装可能用到的依赖:

yum install -y git gcc gcc-c clang automake make autoconf libtool zlib-devel libatomic_ops-devel pcre-devel openssl-devel libxml2-devel libxslt-devel gd-devel GeoIP-devel gperftools-devel  perl-devel perl-ExtUtils-Embed

获取源码:

git clone https://github.com/nginx/nginx.git
git clone https://github.com/openssl/openssl.git
git clone https://github.com/grahamedgecombe/nginx-ct.git

nginx-ct是启用证书透明度(Certificate Transparency)策略的模块。为了启用Certificate Transparency和TLSv1.3,需要额外加入如下编译参数:

--add-module=../nginx-ct/ --with-openssl=../openssl/

加在官方编译参数后面,简单修改形成完整的编译参数:

auto/configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' --add-module=../nginx-ct/ --with-openssl=../openssl/

进入nginx源码目录,并输入如上完整的编译参数。
开始编译:

make

查看编译好的nginx信息:

./objs/nginx -v nginx version: nginx/1.15.2

备份已经安装好的官方mainline版,安装编译版:

mv /usr/sbin/nginx /usr/sbin/nginx.1.15.1.20180708.official.mainline
cp ./objs/nginx /usr/sbin/

4 修改nginx配置文件内的ssl_protocols和ssl_ciphers,默认启用TLSv1.3的前三项常用的加密算法

...
ssl_protocols          TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers            EECDH+CHACHA20:ECDHE+aECDSA+CHACHA20:ECDHE+aRSA+CHACHA20:ECDHE+aECDSA+AESGCM:ECDHE+aRSA+AESGCM:ECDHE+aECDSA+AES256+SHA384:ECDHE+aRSA+AES256+SHA384:ECDHE+aECDSA+AES256+SHA:ECDHE+aRSA+AES256+SHA;
...

重启nginx服务以使修改生效:

systemctl restart nginx

5 测试TLSv1.3是否生效

5.1 使用testssl工具
git clone --depth 1 https://github.com/drwetter/testssl.sh.git
cd testssl.sh
./testssl.sh --help

命令为(coldawn.com需要换成自己的域名):

./testssl.sh -p coldawn.com ... Testing protocols via sockets except SPDY+HTTP2 SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered TLS 1.1 offered TLS 1.2 offered (OK) TLS 1.3 offered (OK): draft 28, draft 27, draft 26 NPN/SPDY h2, http/1.1 (advertised) ALPN/HTTP2 h2, http/1.1 (offered) ...

详细的情况,用大写的P作为参数:

./testssl.sh -P coldawn.com

 Testing server preferences

 Has server cipher order?     yes (OK)
 Negotiated protocol          TLSv1.3
 Negotiated cipher            TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)
 Cipher order
    TLSv1:     ECDHE-RSA-AES256-SHA
    TLSv1.1:   ECDHE-RSA-AES256-SHA
    TLSv1.2:   ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA
    TLSv1.3:   TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256
5.2 使用现代浏览器

Chrome canary 69.0.3484.0 和 Firefox Nightly 63.0a1已经支持tls1.3 Draft 28。