ねこの世界

Debian 11 VPS deployment

  • ~22.88K 字

Do NOT use BT Panel

Warning

Do NOT use BT Panel due to security & privacy concern.

Why shouldn't use BT Panel

From: 宝塔隐私声明 - 宝塔面板

1、 我们将收集哪些个人信息
我们有两种信息收集方式:
1.1 您向我们提供的信息:
您在注册堡塔账户时,可能需要您向我们提供您的个人信息,例如:您的姓名、电子邮箱地址、手机号码、证件号码等。
1.2 我们在您使用我们产品和服务的过程中收集的信息:
可能需要您提供您的通讯地址、收/付款账号等。
必要时我们还会收集与产品使用相关的信息,例如IP 地址、Cookie、位置信息、产品制造商、产品型号、产品唯一标示符和设备数据等信息。

Related posts:

宝塔后门接口-美国VPS综合讨论-全球主机交流论坛 - Powered by Discuz!
宝塔国内版已知收集的隐私信息-美国VPS综合讨论-全球主机交流论坛 - Powered by Discuz!

Pre work

Name: {location}
TemplateOS: centos 7
TargetOS: Debian 11 bullseye

1
2
3
wget https://gcore.jsdelivr.net/gh/MeowLove/Network-Reinstall-System-Modify/CoreShell/Core_Install_v3.1.sh
bash Core_Install_v3.1.sh -d bullseye -v 64 -p 'XCLY_01130504' -a --mirror 'http://mirrors.tencentyun.com/debian' -firmware
# bash Core_Install_v3.1.sh -d bullseye -v 64 -p 'XCLY_01130504' -a -firmware

First boot

/etc/motd : clear all text
tcpx.sh : choose 22 & 23

1
2
3
4
5
6
7
8
9
10
11
12
13
14
nano /etc/motd
nano /etc/ssh/sshd_config
apt update
apt install ufw socat screen git htop
ufw default deny incoming
ufw default allow outgoing
ufw allow OpenSSH
ufw allow "WWW Full"
ufw enable
apt install ca-certificates wget -y && update-ca-certificates
wget -O tcpx.sh "https://gcore.jsdelivr.net/gh/ylx2016/Linux-NetSpeed/tcpx.sh" && chmod +x tcpx.sh && ./tcpx.sh
nano /etc/network/interfaces
nano /etc/resolv.conf
reboot
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# /etc/ssh/sshd_config
LogLevel INFO
MaxAuth 4
PasswordAuthentication no
PermitEmptyPasswords no
ClientAliveInterval 600
ClientAliveCountMax 2
Protocol 2

# /etc/network/interfaces
auto ens5
iface ens5 inet static
    address {address}
    netmask {netmask}
    gateway {gateway}

# /etc/resolv.conf
nameserver 1.1.1.1
nameserver 1.0.0.1

Second boot

Use http repositories first

1
2
3
4
5
6
nano /etc/apt/sources.list
apt update
apt install apt-transport-https ca-certificates
apt upgrade -y
dpkg-reconfigure tzdata
reboot
1
2
3
4
5
6
7
8
9
# /etc/apt/sources.list
deb https://mirrors.tuna.tsinghua.edu.cn/debian/ bullseye main contrib non-free
deb https://mirrors.tuna.tsinghua.edu.cn/debian/ bullseye-updates main contrib non-free
deb https://mirrors.tuna.tsinghua.edu.cn/debian/ bullseye-backports main contrib non-free
deb https://mirrors.tuna.tsinghua.edu.cn/debian-security bullseye-security main contrib non-free
# deb http://deb.debian.org/debian/ bullseye main contrib non-free
# deb http://deb.debian.org/debian/ bullseye-updates main contrib non-free
# deb http://deb.debian.org/debian/ bullseye-backports main contrib non-free
# deb http://deb.debian.org/debian-security bullseye-security main contrib non-free

Software

Nginx

/usr/share/nginx/html : Download

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
apt install curl gnupg2 ca-certificates lsb-release debian-archive-keyring
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
    | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
    http://nginx.org/packages/mainline/debian `lsb_release -cs` nginx" \
    | tee /etc/apt/sources.list.d/nginx.list
echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \
    | tee /etc/apt/preferences.d/99nginx
apt update
apt install nginx -y
systemctl start nginx
systemctl enable nginx
nano /etc/nginx/nginx.conf
nano /etc/nginx/conf.d/default.conf
curl https://ssl-config.mozilla.org/ffdhe4096.txt > /etc/ssl/ffdhe4096.pem
nano /etc/nginx/conf.d/{website}.conf
curl https://get.acme.sh | sh -s email={email}
exec "$SHELL"
export CF_Token="{CF_Token}"
export CF_Zone_ID="{CF_Zone_ID}"
export CF_Account_ID="{CF_Account_ID}"
acme.sh --issue --dns dns_cf -d {website} --dnssleep 300
# acme.sh --issue --dns dns_cf -d {website}
acme.sh --install-cert -d {website} \
    --key-file       /etc/ssl/{website}.key  \
    --fullchain-file /etc/ssl/{website}.crt \
    --reloadcmd     "service nginx force-reload"
chown -R nginx:nginx /usr/share/nginx/html
find /usr/share/nginx/html/ -type d -exec chmod 750 {} \;
find /usr/share/nginx/html/ -type f -exec chmod 640 {} \;
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
worker_rlimit_nofile 51200;
events {
    use epoll;
    worker_connections 51200;
    multi_accept on;
}
http {
    include /etc/nginx/mime.types;
    default_type  application/octet-stream;
    server_names_hash_bucket_size 512;
    client_header_buffer_size 32k;
    large_client_header_buffers 4 32k;
    client_max_body_size 50m;
    sendfile   on;
    tcp_nopush on;
    keepalive_timeout 60;
    tcp_nodelay on;
    gzip on;
    gzip_min_length  1k;
    gzip_buffers     4 16k;
    gzip_http_version 1.1;
    gzip_comp_level 2;
    gzip_types     text/plain application/javascript application/x-javascript text/javascript text/css application/xml;
    gzip_vary on;
    gzip_proxied   expired no-cache no-store private auth;
    gzip_disable   "MSIE [1-6]\.";
    limit_conn_zone $binary_remote_addr zone=perip:10m;
    limit_conn_zone $server_name zone=perserver:10m;
    server_tokens off;
    access_log off;
    include /etc/nginx/conf.d/*.conf;
}

# /etc/nginx/conf.d/default.conf
server {
    listen 80 default_server;
    server_name _;
    index index.html;
    root /usr/share/nginx/html;
}

# /etc/nginx/conf.d/{website}.conf
server {
    listen [::]:80;
    listen      80;
    server_name {website};
    rewrite ^ https://$host$request_uri? permanent;
}
server {
    listen [::]:443 ssl http2 default_server;
    listen      443 ssl http2 default_server;
    server_name {website};
    index index.php index.html index.htm default.php default.htm default.html;
    root /usr/share/nginx/html;
    ssl_certificate /etc/ssl/{website}.crt;
    ssl_certificate_key /etc/ssl/{website}.key;
    charset utf-8;
    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
    ssl_dhparam /etc/ssl/ffdhe4096.pem;
    ssl_protocols TLSv1.3 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ecdh_curve secp521r1:secp384r1;
    ssl_ciphers EECDH+AESGCM:EECDH+AES256;
    ssl_session_cache shared:TLS:2m;
    ssl_buffer_size 4k;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]; # Cloudflare  
}

Pyenv & Pyenv-virtualenv

Recommended Python version: 3.9.13

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
apt update; apt install make build-essential libssl-dev zlib1g-dev \
    libbz2-dev libreadline-dev libsqlite3-dev wget curl llvm \
    libncursesw5-dev xz-utils tk-dev libxml2-dev libxmlsec1-dev libffi-dev liblzma-dev
git clone https://github.com/pyenv/pyenv.git ~/.pyenv
cd ~/.pyenv && src/configure && make -C src
echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.bashrc
echo 'command -v pyenv >/dev/null || export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.bashrc
echo 'eval "$(pyenv init -)"' >> ~/.bashrc
echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.profile
echo 'command -v pyenv >/dev/null || export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.profile
echo 'eval "$(pyenv init -)"' >> ~/.profile
exec "$SHELL"
pyenv install {version}
git clone https://github.com/pyenv/pyenv-virtualenv.git $(pyenv root)/plugins/pyenv-virtualenv
echo 'eval "$(pyenv virtualenv-init -)"' >> ~/.bashrc
exec "$SHELL"
pyenv virtualenv {version} venv
pyenv activate venv
pip install -U pip
pip install wheel
pyenv deactivate

Rclone

Read Rclone to generate client_id and client_secret

1
2
3
curl https://rclone.org/install.sh | bash
rclone config
rclone authorize onedrive {client_id} {client_secret}

Mariadb

Recommended version: 10.8

1
2
3
4
5
6
7
8
9
10
apt -y install curl software-properties-common gnupg2
curl -o /etc/apt/trusted.gpg.d/mariadb_release_signing_key.asc 'https://mariadb.org/mariadb_release_signing_key.asc'
sh -c "echo 'deb https://mirror.rackspace.com/mariadb/repo/10.8/debian bullseye main' >>/etc/apt/sources.list"
apt update
apt install mariadb-server
mariadb-secure-installation
systemctl enable mariadb
nano /etc/mysql/mariadb.cnf
systemctl restart mariadb
mysql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
# /etc/mysql/mariadb.cnf
[mysqld]
binlog_cache_size = 64K
thread_stack = 256K
join_buffer_size = 1024K
query_cache_type = 1
max_heap_table_size = 64M
default_storage_engine = InnoDB
performance_schema_max_table_instances = 400
table_definition_cache = 400
skip-external-locking
key_buffer_size = 128M
max_allowed_packet = 1G
table_open_cache = 128
sort_buffer_size = 768K
net_buffer_length = 4K
read_buffer_size = 768K
read_rnd_buffer_size = 512K
myisam_sort_buffer_size = 8M
thread_cache_size = 64
query_cache_size = 64M
tmp_table_size = 64M
sql-mode=NO_ENGINE_SUBSTITUTION,STRICT_TRANS_TABLES
explicit_defaults_for_timestamp = true
max_connections = 100
max_connect_errors = 100
open_files_limit = 65535
log_bin=/var/log/mysql/mysql-bin.log
binlog_format=mixed
server-id = 1
expire_logs_days = 10
slow_query_log=1
long_query_time=3
innodb_data_file_path = ibdata1:10M:autoextend
innodb_buffer_pool_size = 256M
innodb_log_file_size = 64M
innodb_log_buffer_size = 16M
innodb_flush_log_at_trx_commit = 1
innodb_lock_wait_timeout = 50
innodb_max_dirty_pages_pct = 90
innodb_read_io_threads = 1
innodb_write_io_threads = 2
[mysqldump]
quick
max_allowed_packet = 500M
[mysql]
no-auto-rehash
[myisamchk]
key_buffer_size = 32M
sort_buffer_size = 768K
read_buffer = 2M
write_buffer = 2M
[mysqlhotcopy]
interactive-timeout
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mariadb.conf.d/
1
2
3
4
5
6
/* mysql */
create database {database} default character set utf8mb4 collate utf8mb4_unicode_ci;
create user '{user}'@'localhost' identified by '{password}';
grant all on {database}.* to '{user}'@'localhost';
flush privileges;
exit;

Redis

Recommended version: 7.0

1
2
3
4
5
6
7
8
nano /etc/sysctl.conf
sysctl -p
curl -fsSL https://packages.redis.io/gpg | gpg --dearmor -o /usr/share/keyrings/redis-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/redis-archive-keyring.gpg] https://packages.redis.io/deb $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/redis.list
apt install redis
nano /etc/redis/redis.conf
systemctl restart redis-server
systemctl enable redis-server
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
# /etc/sysctl.conf
vm.overcommit_memory = 1

# /etc/redis/redis.conf
bind 127.0.0.1
protected-mode yes
port 6379
tcp-backlog 511
timeout 0
tcp-keepalive 300
supervised auto
pidfile /run/redis/redis-server.pid
loglevel notice
logfile /var/log/redis/redis-server.log
databases 16
proc-title-template "{title} {listen-addr} {server-mode}"
always-show-logo yes
save 900 1
save 300 10
save 60 10000
stop-writes-on-bgsave-error yes
rdbcompression yes
rdbchecksum yes
dbfilename dump.rdb
dir /var/lib/redis
rdb-del-sync-files no
replica-serve-stale-data yes
replica-read-only yes
repl-diskless-sync no
repl-diskless-sync-delay 5
repl-diskless-sync-max-replicas 0
repl-diskless-load disabled
repl-disable-tcp-nodelay no
replica-priority 100
lazyfree-lazy-eviction no
lazyfree-lazy-expire no
lazyfree-lazy-server-del no
replica-lazy-flush no
lazyfree-lazy-user-del no
lazyfree-lazy-user-flush no
oom-score-adj no
oom-score-adj-values 0 200 800
disable-thp yes
appendonly no
appendfilename "appendonly.aof"
appenddirname "appendonlydir"
appendfsync everysec
no-appendfsync-on-rewrite no
acllog-max-len 128
auto-aof-rewrite-percentage 100
auto-aof-rewrite-min-size 64mb
aof-load-truncated yes
aof-use-rdb-preamble yes
aof-timestamp-enabled no
lua-time-limit 5000
slowlog-log-slower-than 10000
slowlog-max-len 128
latency-monitor-threshold 0
notify-keyspace-events ""
hash-max-ziplist-entries 512
hash-max-ziplist-value 64
list-max-ziplist-size -2
list-compress-depth 0
set-max-intset-entries 512
zset-max-ziplist-entries 128
zset-max-ziplist-value 64
hll-sparse-max-bytes 3000
stream-node-max-bytes 4096
stream-node-max-entries 100
activerehashing yes
client-output-buffer-limit normal 0 0 0
client-output-buffer-limit replica 256mb 64mb 60
client-output-buffer-limit pubsub 32mb 8mb 60
hz 10
dynamic-hz yes
aof-rewrite-incremental-fsync yes
rdb-save-incremental-fsync yes
jemalloc-bg-thread yes

Php

Recommended version: 8.1

1
2
3
4
5
6
7
8
9
10
11
12
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/sury-php.list
wget -qO - https://packages.sury.org/php/apt.gpg | apt-key add -
apt update
apt install php8.1-fpm php8.1-mysql php8.1-{bcmath,fpm,xml,mysql,zip,intl,ldap,gd,cli,bz2,curl,mbstring,pgsql,opcache,soap,cgi,xmlrpc,mcrypt,imagick,redis}
nano /etc/php/8.1/fpm/php-fpm.conf
nano /etc/php/8.1/fpm/php.ini
systemctl restart php8.1-fpm
systemctl enable php8.1-fpm
nano /etc/nginx/nginx.conf
nano /etc/nginx/conf.d/{website}.conf
chown -R www-data:www-data /usr/share/nginx/html
systemctl restart nginx
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
# /etc/php/8.1/fpm/php-fpm.conf
[global]
pid = /run/php/php8.1-fpm.pid
error_log = /var/log/php8.1-fpm.log
log_level = notice
[www]
listen = /run/php/php8.1-fpm.sock
listen.backlog = 8192
listen.allowed_clients = 127.0.0.1
listen.owner = www-data
listen.group = www-data
listen.mode = 0666
user = www-data
group = www-data
pm = dynamic
pm.status_path = /phpfpm_81_status
pm.max_children = 30
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 20
request_terminate_timeout = 100
request_slowlog_timeout = 30
slowlog = /var/log/slow.log

# /etc/php/8.1/fpm/php.ini
[PHP]
engine = On
short_open_tag = On
precision = 14
output_buffering = 4096
zlib.output_compression = Off
implicit_flush = Off
unserialize_callback_func =
serialize_precision = -1
disable_functions = passthru,exec,system,putenv,chroot,chgrp,chown,shell_exec,popen,proc_open,pcntl_exec,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,imap_open,apache_setenv
disable_classes =
zend.enable_gc = On
zend.exception_ignore_args = On
zend.exception_string_param_max_len = 0
expose_php = Off
max_execution_time = 300
max_input_time = 60
memory_limit = 128M
error_reporting = E_ALL & ~E_NOTICE
display_errors = On
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
variables_order = "GPCS"
request_order = "GP"
register_argc_argv = Off
auto_globals_jit = On
post_max_size = 50M
auto_prepend_file =
auto_append_file =
default_mimetype = "text/html"
default_charset = "UTF-8"
doc_root =
user_dir =
enable_dl = Off
cgi.fix_pathinfo=1
file_uploads = On
upload_max_filesize = 50M
max_file_uploads = 20
allow_url_fopen = On
allow_url_include = Off
default_socket_timeout = 60
[CLI Server]
cli_server.color = On
[Date]
date.timezone = PRC
[filter]
[iconv]
[imap]
[intl]
[sqlite3]
[Pcre]
[Pdo]
[Pdo_mysql]
pdo_mysql.default_socket=
[Phar]
[mail function]
SMTP = localhost
smtp_port = 25
mail.add_x_header = Off
[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1
[MySQLi]
mysqli.max_persistent = -1
mysqli.allow_persistent = On
mysqli.max_links = -1
mysqli.default_port = 3306
mysqli.default_socket =
mysqli.default_host =
mysqli.default_user =
mysqli.default_pw =
mysqli.reconnect = Off
[mysqlnd]
mysqlnd.collect_statistics = On
mysqlnd.collect_memory_statistics = Off
[OCI8]
[PostgreSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0
[bcmath]
bcmath.scale = 0
[browscap]
[Session]
session.save_handler = redis
session.save_path = "tcp://127.0.0.1:6379"
session.use_strict_mode = 0
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.cookie_samesite =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.sid_length = 26
session.trans_sid_tags = "a=href,area=href,frame=src,form="
session.sid_bits_per_character = 5
[Assertion]
zend.assertions = -1
[COM]
[mbstring]
[gd]
[exif]
[Tidy]
tidy.clean_output = Off
[soap]
soap.wsdl_cache_enabled=1
soap.wsdl_cache_dir="/tmp"
soap.wsdl_cache_ttl=86400
soap.wsdl_cache_limit = 5
[sysvshm]
[ldap]
ldap.max_links = -1
[dba]
[opcache]
[curl]
curl.cainfo = /etc/ssl/certs/ca-certificates.crt
[openssl]
openssl.cafile=/etc/ssl/certs/ca-certificates.crt
[Zend Opcache]
opcache.enable = 1
opcache.memory_consumption=128
opcache.interned_strings_buffer=32
opcache.max_accelerated_files=80000
opcache.revalidate_freq=3
opcache.fast_shutdown=1
opcache.enable_cli=1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# /etc/nginx/nginx.conf
user www-data www-data;
http {
    fastcgi_connect_timeout 300;
    fastcgi_send_timeout 300;
    fastcgi_read_timeout 300;
    fastcgi_buffer_size 64k;
    fastcgi_buffers 4 64k;
    fastcgi_busy_buffers_size 128k;
    fastcgi_temp_file_write_size 256k;
    fastcgi_intercept_errors on;
}

# nano /etc/nginx/conf.d/{website}.conf
    location / {
        try_files $uri $uri/ /index.php$is_args$args;
    }
    location ~ [^/]\.php(/|$) {
        try_files $uri =404;
        fastcgi_pass  unix:/run/php/php8.1-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root/:/tmp/:/proc/";
        fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
        include fastcgi_params;
        set $real_script_name $fastcgi_script_name;
        if ($fastcgi_script_name ~ "^(.+?\.php)(/.+)$") {
            set $real_script_name $1;
            set $path_info $2;
        }
        fastcgi_param SCRIPT_FILENAME $document_root$real_script_name;
        fastcgi_param SCRIPT_NAME $real_script_name;
        fastcgi_param PATH_INFO $path_info;
    }
    location ~ /\.ht {
        deny all;
    }
    location = /favicon.ico { log_not_found off; access_log off; }
    location = /robots.txt { log_not_found off; access_log off; allow all; }
    location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
        expires max;
        log_not_found off;
    }

Docker

Recommended docker image: containrrr/watchtower

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
apt-get update
apt -y install apt-transport-https ca-certificates curl gnupg2 software-properties-common
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list
apt-get update
apt-get install docker-ce docker-ce-cli containerd.io
nano /etc/docker/daemon.json
systemctl daemon-reload
systemctl restart docker
docker run -d --name vaultwarden --net main --ip 172.18.0.2 -v /vw-data/:/data/ \
    -e DOMAIN=https://{site}/{path} \
    -e SIGNUPS_ALLOWED=false -e INVITATIONS_ALLOWED=false \
    -e ADMIN_TOKEN={token} \
    -e WEBSOCKET_ENABLED=true -e SHOW_PASSWORD_HINT=false \
    vaultwarden/server:latest
docker run -d \
    --name watchtower --net main --ip 172.18.0.3 \
    -v /var/run/docker.sock:/var/run/docker.sock \
    containrrr/watchtower:latest \
    --cleanup \
    watchtower vaultwarden
nano /etc/nginx/conf.d/{website}.conf
systemctl restart nginx
1
2
// /etc/docker/daemon.json
{"registry-mirrors":["https://reg-mirror.qiniu.com/"]}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# /etc/nginx/conf.d/{website}.conf

upstream vaultwarden-default {
    zone vaultwarden-default 64k;
    server 172.18.0.2:80;
    keepalive 2;
}
upstream vaultwarden-ws {
    zone vaultwarden-ws 64k;
    server 172.18.0.2:3012;
    keepalive 2;
}
server {
    location /{path} {
        proxy_http_version 1.1;
        proxy_set_header "Connection" "";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://vaultwarden-default;
    }
    location /{path}/notifications/hub/negotiate {
        proxy_http_version 1.1;
        proxy_set_header "Connection" "";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://vaultwarden-default;
    }
    location /{path}/notifications/hub {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Forwarded $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://vaultwarden-ws;
    }
}
本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可
, , , , , , , , ,