diff --git a/Nginx_install.md b/Nginx_install.md index 5a6774c..0753298 100644 --- a/Nginx_install.md +++ b/Nginx_install.md @@ -11,7 +11,7 @@ ssh igor@88.218.94.134 -p 2200 ---------------------------------------------------------------------------------------------------- ```sh sudo apt-get update && -sudo apt-get install nginx +sudo apt-get install nginx -y ``` Настройка самоподписанного сертификата для SSL nginx ```sh @@ -21,10 +21,6 @@ sudo apt-get install nginx ```sh sudo openssl dhparam -out /etc/nginx/dhparam.pem 4096 ``` -Создаём файл: -```sh - sudo mcedit /etc/nginx/conf.d/ssl.conf -``` И вписываем в него: ```sh cd /etc/nginx/sites-available/ && diff --git a/PowerDNS_install.md b/PowerDNS_install.md index 7c425e3..259c4be 100644 --- a/PowerDNS_install.md +++ b/PowerDNS_install.md @@ -135,6 +135,14 @@ sudo pdnsutil add-record locust.ge @ CAA 3600 "0 issue \"letsencrypt.org\"" && sudo pdnsutil add-record locust.ge @ TXT 3600 "\"v=spf1 ip4:88.218.94.134 -all\"" && sudo pdnsutil add-record locust.ge @ MX 3600 "10 mail.locust.ge." && sudo pdnsutil add-record locust.ge mail A 3600 88.218.94.134 + +sudo pdnsutil add-record locust.ge @ NS 3600 ns1.geovizor.top +sudo pdnsutil add-record locust.ge @ NS 3600 ns2.geovizor.top +``` + +For deleting record please run command: +```sh +pdnsutil delete-rrset locust.ge locust.ge.locust.ge NS ``` diff --git a/PowerDNS_install_SQIite3.md b/PowerDNS_install_SQIite3.md index ab26fd9..87d5a54 100644 --- a/PowerDNS_install_SQIite3.md +++ b/PowerDNS_install_SQIite3.md @@ -127,3 +127,17 @@ sudo chmod 640 /etc/powerdns/pdns.d/pdns.local.sqlite.conf ``` In PowerDNS configured to auto read config from dir /etc/powerdns/pdns.d/ + + + + +For delete record from SQLite run: +```sh +cp /var/lib/powerdns/pdns.sqlite3 /var/lib/powerdns/pdns.sqlite3.bak +sqlite3 /var/lib/powerdns/pdns.sqlite3 +SELECT id, name FROM domains WHERE name = 'locust.ge'; +SELECT id, name, type, content FROM records WHERE name = 'locust.ge.locust.ge' AND type = 'NS'; +DELETE FROM records WHERE id IN (25, 26, 27, 28); +.exit +pdns_control notify locust.ge +``` diff --git a/Traefik_install.md b/Traefik_install.md index 87a02cd..ecfadc8 100644 --- a/Traefik_install.md +++ b/Traefik_install.md @@ -80,7 +80,7 @@ providers: certificatesResolvers: myresolver: acme: - email: "your-email@example.com" + email: "irigm@mail.ru" storage: "/etc/traefik/acme.json" httpChallenge: entryPoint: web @@ -103,56 +103,56 @@ http: service: api@internal ccalm-api-auth: - rule: "Host(`ccalm.test`) && PathPrefix(`/api/authorization/v02/`)" - service: org_ccalm_api_authorization_v02 entryPoints: - websecure + rule: "Host(`ccalm.test`) && PathPrefix(`/api/authorization/v02/`)" + service: org_ccalm_api_authorization_v02 tls: certresolver: myresolver middlewares: - strip-auth-prefix ccalm-dbms: - rule: "Host(`ccalm.test`) && PathPrefix(`/api/dbms/v09/`)" - service: org_ccalm_dbms_v09 entryPoints: - websecure + rule: "Host(`ccalm.test`) && PathPrefix(`/api/dbms/v09/`)" + service: org_ccalm_dbms_v09 tls: certresolver: myresolver middlewares: - strip-dbms-prefix ccalm-translation: - rule: "Host(`ccalm.test`) && PathPrefix(`/api/translation/v01/`)" - service: org_ccalm_translation_v01 entryPoints: - websecure + rule: "Host(`ccalm.test`) && PathPrefix(`/api/translation/v01/`)" + service: org_ccalm_translation_v01 tls: certresolver: myresolver #middlewares: # - strip-translation-prefix ccalm-login: - rule: "Host(`ccalm.test`) && PathPrefix(`/login/`)" - service: org_ccalm_login_v01 entryPoints: - websecure + rule: "Host(`ccalm.test`) && PathPrefix(`/login/`)" + service: org_ccalm_login_v01 tls: certresolver: myresolver ccalm-default: - rule: "Host(`ccalm.test`)" - service: org_ccalm entryPoints: - websecure + rule: "Host(`ccalm.test`)" + service: org_ccalm tls: certresolver: myresolver powerdns: - rule: "Host(`powerdns.local`)" - service: local_powerdns entryPoints: - websecure + rule: "Host(`powerdns.local`)" + service: local_powerdns tls: {} middlewares: diff --git a/Traefik_install_CCALM.md b/Traefik_install_CCALM.md index 45647db..a4cb12a 100644 --- a/Traefik_install_CCALM.md +++ b/Traefik_install_CCALM.md @@ -1,7 +1,7 @@ -# Устанавливаю Traefik на турецский сервер +# Устанавливаю Traefik cервер в Астане ```sh -ssh igor@156.244.31.209 -p 2200 +ssh igor@5.180.46.11 -p 2200 ``` # Установка Traefik на Linux Mint / Ubuntu @@ -24,6 +24,18 @@ cd ~ && wget https://github.com/traefik/traefik/releases/download/v3.3.4/traefik_v3.3.4_linux_amd64.tar.gz ``` + +## 📥 Создаём группу и пользователя под которым будет запускаться traefik + +Создаём домашнюю директорию, группу и пользователя: +```sh + sudo mkdir -p /etc/traefik && + cd /etc/traefik && + sudo groupadd traefik && + sudo useradd -s /bin/false -g traefik -d /etc/traefik traefik +``` + + --- ## 📥 Шаг 3. Распаковка и установка @@ -38,6 +50,12 @@ wget https://github.com/traefik/traefik/releases/download/v3.3.4/traefik_v3.3.4_ traefik version ``` +Разрешаем занимать порты с номером меньше 1024 +```sh +sudo setcap 'cap_net_bind_service=+ep' /usr/local/bin/traefik +``` + + ```conf Version: 3.3.4 Codename: saintnectaire @@ -48,12 +66,6 @@ OS/Arch: linux/amd64 --- -## 📁 Шаг 4. Создание директории и базового конфига -```sh - sudo mkdir -p /etc/traefik && - cd /etc/traefik -``` - ### Пример `traefik.yml` ```sh cd /etc/traefik && @@ -76,10 +88,6 @@ api: dashboard: true insecure: true -providers: - file: - filename: "/etc/traefik/dynamic.yml" - # Настройка сертификатов (пример с Let's Encrypt) certificatesResolvers: myresolver: @@ -89,6 +97,11 @@ certificatesResolvers: httpChallenge: entryPoint: web +providers: + file: + filename: "/etc/traefik/dynamic.yml" + watch: true + log: level: DEBUG EOF @@ -98,61 +111,155 @@ EOF ```sh cd /etc/traefik && sudo tee /etc/traefik/dynamic.yml > /dev/null <<'EOF' +--- http: routers: + dashboard: entryPoints: - traefik rule: "Host(`localhost`)" service: api@internal - geovizor-api-zones: - rule: "Host(`geovizor.top`) && PathPrefix(`/api/v1/servers/localhost/zones/`)" - service: top_geovizor_api_zones_v01 + ccalm-api-auth: entryPoints: - websecure + rule: "(Host(`locust.ge`) || Host(`test.ccalm.org`)) && PathPrefix(`/api/authorization/v02/`)" + service: org_ccalm_api_authorization_v02 + tls: + certresolver: myresolver + middlewares: + - strip-auth-prefix + + ccalm-dbms: + entryPoints: + - websecure + rule: "(Host(`locust.ge`) || Host(`test.ccalm.org`)) && PathPrefix(`/api/dbms/v09/`)" + service: org_ccalm_dbms_v09 + tls: + certresolver: myresolver + middlewares: + - strip-dbms-prefix + + ccalm-translation: + entryPoints: + - websecure + rule: "(Host(`locust.ge`) || Host(`test.ccalm.org`)) && PathPrefix(`/api/translation/v01/`)" + service: org_ccalm_translation_v01 tls: certresolver: myresolver - geovizor-default: - rule: "Host(`geovizor.top`)" - service: top_geovizor_default + ccalm-login: entryPoints: - websecure + rule: "(Host(`locust.ge`) || Host(`test.ccalm.org`)) && PathPrefix(`/login/`)" + service: org_ccalm_login_v01 tls: certresolver: myresolver + org-ccalm-main: + entryPoints: + - websecure + rule: "Host(`locust.ge`) || Host(`test.ccalm.org`)" + service: org_ccalm_main + tls: + certresolver: myresolver + + acme-http: + rule: "PathPrefix(`/.well-known/acme-challenge/`)" + entryPoints: + - web + middlewares: [] + service: noop + priority: 1000 + services: - - top_geovizor_api_zones_v01: + + # backend org_ccalm_api_authorization_v02 + org_ccalm_api_authorization_v02: loadBalancer: servers: - - url: "http://156.244.31.209:8081" + - url: "https://127.0.0.1:8082" + serversTransport: insecureTransport healthCheck: path: "/" interval: "5s" - # Бэкенд по умолчанию top_geovizor - top_geovizor_default: + # org_ccalm_dbms_v09 backend + org_ccalm_dbms_v09: loadBalancer: servers: - - url: "http://127.0.0.1:8082" + - url: "https://127.0.0.1:8084" + serversTransport: insecureTransport healthCheck: path: "/" interval: "5s" + # Translation backend + org_ccalm_translation_v01: + loadBalancer: + servers: + - url: "https://ccalm.org" + passHostHeader: false + serversTransport: insecureTransport + healthCheck: + path: "" + interval: "5s" + + # Backend for org_ccalm_login_v01 (HTTP, without SSL) + org_ccalm_login_v01: + loadBalancer: + servers: + - url: "https://127.0.0.1:8081" + healthCheck: + path: "/" + interval: "5s" + serversTransport: insecureTransport + + # Default backend for ccalm.org + org_ccalm_main: + loadBalancer: + servers: + - url: "https://127.0.0.1:8083" + healthCheck: + path: "/" + interval: "5s" + serversTransport: insecureTransport + + # Fake noop secvices + noop: + loadBalancer: + servers: + - url: "http://127.0.0.1" + # Определяем транспорт для отключения проверки SSL serversTransports: insecureTransport: insecureSkipVerify: true -# Добавляем сертификаты -tls: - certificates: + middlewares: + strip-dbms-prefix: + stripPrefix: + prefixes: + - "/api/dbms/v09" + strip-auth-prefix: + stripPrefix: + prefixes: + - "/api/authorization/v02" + dashboard-auth: + basicAuth: + users: + - "admin:$apr1$NUoqcU3I$O6VxeuGhsA6RSIyh6rNbo." # Пароль хешируется так: htpasswd -nb admin t745632746573t EOF ``` +For checking syntactic: +```sh + yamllint -d "{extends: default, rules: {line-length: disable}}" /etc/traefik/dynamic.yml +``` + + Для хранения сертификатов файл: ```sh sudo touch /etc/traefik/acme.json && @@ -167,10 +274,12 @@ EOF cd /etc/systemd/system && sudo tee /etc/systemd/system/traefik.service > /dev/null <<'EOF' [Unit] -Description=Traefik +Description=Reverse proxy Traefik After=network.target [Service] +User=traefik +Group=traefik ExecStart=/usr/local/bin/traefik --configFile=/etc/traefik/traefik.yml Restart=always @@ -179,7 +288,6 @@ WantedBy=multi-user.target EOF ``` - Примените: ```sh sudo systemctl daemon-reload && @@ -195,12 +303,11 @@ EOF --- ## 🔎 Шаг 6. Проверка работы -Откройте в браузере: +Откройте в браузере cпаролем что быше "": ```sh -open http://localhost:8080/dashboard/ +open https://5.180.46.11:8080/dashboard ``` -> ⚠️ Доступ к дашборду открыт только с localhost. Для удалённого доступа настройте правила. --- @@ -220,6 +327,9 @@ sudo journalctl -u traefik -f + + + ## 🐳 Как вариант можно установить через Docker