lizongbo at 618119.com 工作,生活,Android,前端,Linode,Ubuntu,nginx,java,apache,tomcat,Resin,mina,Hessian,XMPP,RPC

2010年10月27日

在Ubuntu Server 10.04上通过源代码编译安装OpenVPN 2.1.3

Filed under: Linux — 标签:, , , , — lizongbo @ 22:13

在Ubuntu Server 10.04上通过源代码编译安装OpenVPN 2.1.3
Linux是在linode.com购买的vps
1.下载OpenVPN稳定版本2.1.3的源码:
root@618119.com:/usr/local/app# wget http://openvpn.net/release/openvpn-2.1.3.tar.gz
来源:
http://openvpn.net/index.php/open-source/downloads.html
2.解压源代码:
root@618119.com:/usr/local/app# tar -zxvf openvpn-2.1.3.tar.gz
3.编译前先检查配置:
root@618119.com:/usr/local/app/openvpn-2.1.3# ./configure –prefix=/usr/local/app/openvpn
系统提示:
LZO library available from http://www.oberhumer.com/opensource/lzo/
configure: error: Or try ./configure –disable-lzo
4.安装liblzo2-dev库
root@618119.com:/usr/local/app/openvpn-2.1.3# apt-get install liblzo2-dev
由于在安装nginx时是用openssl源代码进行编译的,这里使用Openssl最新版的源代码进行编译:
(openssl源码下载参考: http://618119.com/archives/2010/10/22/174.html)
5,再次配置:
root@618119.com:/usr/local/app/openvpn-2.1.3# ./configure –prefix=/usr/local/app/openvpn –with-ssl-lib=/usr/local/app/openssl-1.0.0a –with-ssl-headers=/usr/local/app/openssl-1.0.0a/include
6.编译并安装
root@618119.com:/usr/local/app/openvpn-2.1.3# make
root@618119.com:/usr/local/app/openvpn-2.1.3# make install
7.准备生成根证书信息:
root@618119.com:/usr/local/app/openvpn-2.1.3# cd easy-rsa/2.0/
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# vi ./vars
涉及编辑修改的内容为:
export KEY_COUNTRY=”CN”
export KEY_PROVINCE=”Guangdong”
export KEY_CITY=”Shenzhen”
export KEY_ORG=”*.618119.com”
export KEY_EMAIL=”lizongbo@gmail.com

8.开始准备生成根证书:
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/local/app/openvpn-2.1.3/easy-rsa/2.0/keys
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# ./clean-all
Please source the vars script first (i.e. “source ./vars”)
Make sure you have edited it to reflect your configuration.
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/local/app/openvpn-2.1.3/easy-rsa/2.0/keys
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# ./clean-all

root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# ./build-ca
Generating a 1024 bit RSA private key
…..++++++
………………….++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Guangdong]:
Locality Name (eg, city) [Shenzhen]:
Organization Name (eg, company) [*.618119.com]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [*.618119.com CA]:
Name []:
Email Address [lizongbo@gmail.com]:

9.生成OpenVPN服务器证书:
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# ./build-key-server openvpn.618119.com
Generating a 1024 bit RSA private key
…………..++++++
……………………………………….++++++
writing new private key to ‘openvpn.618119.com.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Guangdong]:
Locality Name (eg, city) [Shenzhen]:
Organization Name (eg, company) [*.618119.com]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [openvpn.618119.com]:
Name []:
Email Address [lizongbo@gmail.com]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:618119.com
An optional company name []:
Using configuration from /usr/local/app/openvpn-2.1.3/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName           :PRINTABLE:’CN’
stateOrProvinceName   :PRINTABLE:’Guangdong’
localityName          :PRINTABLE:’Shenzhen’
organizationName      :T61STRING:’*.618119.com’
commonName            :PRINTABLE:’openvpn.618119.com’
emailAddress          :IA5STRING:’lizongbo@gmail.com
Certificate is to be certified until Oct 21 05:49:51 2020 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
10.生成OpenVPN客户端证书:

root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# ./build-key vpnclient.618119.com
Generating a 1024 bit RSA private key
…………………………..++++++
……………++++++
writing new private key to ‘vpnclient.618119.com.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Guangdong]:
Locality Name (eg, city) [Shenzhen]:
Organization Name (eg, company) [*.618119.com]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [vpnclient.618119.com]:
Name []:
Email Address [lizongbo@gmail.com]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:618119.com
An optional company name []:
Using configuration from /usr/local/app/openvpn-2.1.3/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName           :PRINTABLE:’CN’
stateOrProvinceName   :PRINTABLE:’Guangdong’
localityName          :PRINTABLE:’Shenzhen’
organizationName      :T61STRING:’*.618119.com’
commonName            :PRINTABLE:’vpnclient.618119.com’
emailAddress          :IA5STRING:’lizongbo@gmail.com
Certificate is to be certified until Oct 21 05:53:31 2020 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

11.生成dh(Diffie-Hellman)文件:
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# ./build-dh

12.创建配置文件目录和日志目录:
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# mkdir /usr/local/app/openvpn/conf
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# mkdir /usr/local/app/openvpn/conf/keys
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# mkdir /usr/local/app/openvpn/log
13.将生成的key文件目录复制到/usr/local/app/openvpn/conf
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# cp /usr/local/app/openvpn-2.1.3/easy-rsa/2.0/keys/* /usr/local/app/openvpn/conf/keys
14.从例子文件中复制服务器配置文件。
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# cp /usr/local/app/openvpn-2.1.3/sample-config-files/server.conf   /usr/local/app/openvpn/conf/

15.通过vi编辑配置文件/usr/local/app/openvpn/conf/server.conf,以下是修改了默认值或取消注释的配置项
port 11194 #将默认端口1194改成了11194

proto tcp  #使用过程中发现udp协议连接不稳定,查无法定位原因,于是改用TCP协议来尝试
;proto udp

ca /usr/local/app/openvpn/conf/keys/ca.crt
cert /usr/local/app/openvpn/conf/keys/server.crt
key /usr/local/app/openvpn/conf/keys/server.key
dh /usr/local/app/openvpn/conf/keys/dh1024.pem

ifconfig-pool-persist /usr/local/app/openvpn/conf/ipp.txt

push “dhcp-option DNS 208.67.222.222”
push “dhcp-option DNS 208.67.220.220”

user nobody
group nobody #也可以使用系统已有的nogroup组,如果使用nobody则需要groupadd命令进行添加,

status /usr/local/app/openvpn/log/openvpn-status.log
log         /usr/local/app/openvpn/log/openvpn.log
log-append  /usr/local/app/openvpn/log/openvpn-append.log

verb 5

15.指定配置文件来启动OpenVPN:
root@618119.com:/etc/openvpn# /usr/local/app/openvpn/sbin/openvpn –config /usr/local/app/openvpn/conf/server.conf
启动之后发现OpenVPN进程不存在。
root@618119.com:/usr/local/app/openvpn/log# tail *.log
查看日志看到下面这样的错误信息:
Sun Oct 24 07:10:38 2010 us=152299 failed to find GID for group nobody
Sun Oct 24 07:10:38 2010 us=152331 Exiting
16.运行下面的命令:
root@618119.com:/usr/local/app/openvpn/log# groupadd nobody

17.再次启动openvpn,程序启动成功.
root@618119.com:/etc/openvpn# /usr/local/app/openvpn/sbin/openvpn –config /usr/local/app/openvpn/conf/server.conf

18.在Ubunut Linux服务器上配置数据转发:

root@618119.com:~# sudo sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
root@618119.com:~# sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

19.配置Ubuntu Linux上的OpenVPN客户端:
client.conf的配置如下:
client
remote *.*.*.* 11194 #指定端口,使用11194.
ca /usr/local/appr/openvpn/conf/keys/ca.crt
cert /usr/local/appr/openvpn/conf/keys/vpnclient.618119.com.crt
key /usr/local/appr/openvpn/conf/keys/vpnclient.618119.com.key
reneg-sec 0
comp-lzo yes
dev tun
proto tcp ##协议由udp改用tcp
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user openvpn
group openvpn

20.在网络连接中进行连接。
openvpn连接上之后,再在本地浏览器访问http://www.youtube.com/http://twitter.com/,均可正常访问了。

WSun Oct 24 10:56:38 2010 us=259482 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
连接出错,可能是网络原因,可以多连几次。

21.window上使用OpenVPN,先下载windows客户端:
http://openvpn.net/release/openvpn-2.1.3-install.exe
安装之后在本地

22.将证书等文件在本地准备好,,然后客户端配置文件C:\Program Files\OpenVPN\bin\client.ovpn
———————————————————-client
remote *.*.*.* 11194
ca I:\\temp\\keys\\ca.crt
cert I:\\temp\\keys\\vpnclient.618119.com.crt
key I:\\temp\\keys\\vpnclient.618119.com.key
reneg-sec 0
comp-lzo yes
dev tun
proto udp
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user openvpn
group openvpn

———————————————————-

23.在dos窗口下执行程序进行连接:

C:\Program Files\OpenVPN\bin>openvpn client.ovpn
Wed Oct 27 22:11:02 2010 NOTE: –user option is not implemented on Windows
Wed Oct 27 22:11:02 2010 NOTE: –group option is not implemented on Windows
Wed Oct 27 22:11:02 2010 OpenVPN 2.1.3 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] bui
lt on Aug 20 2010
Wed Oct 27 22:11:02 2010 WARNING: No server certificate verification method has
been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Oct 27 22:11:02 2010 NOTE: the current –script-security setting may allow t
his configuration to call user-defined scripts
Wed Oct 27 22:11:02 2010 LZO compression initialized
Wed Oct 27 22:11:02 2010 UDPv4 link local: [undef]
Wed Oct 27 22:11:02 2010 UDPv4 link remote: *.*.*.*:11194
Wed Oct 27 22:11:30 2010 [_.618119.com] Peer Connection Initiated with 173.25
5.196.174:11194
Wed Oct 27 22:11:37 2010 TAP-WIN32 device [本地连接 2] opened: \\.\Global\{FF3AE
A0C-A0ED-4068-882D-4C98D2CB50A9}.tap
Wed Oct 27 22:11:37 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 1
0.8.0.10/255.255.255.252 on interface {FF3AEA0C-A0ED-4068-882D-4C98D2CB50A9} [DH
CP-serv: 10.8.0.9, lease-time: 31536000]
Wed Oct 27 22:11:37 2010 Successful ARP Flush on interface [131077] {FF3AEA0C-A0
ED-4068-882D-4C98D2CB50A9}
Wed Oct 27 22:11:42 2010 Initialization Sequence Completed

相关参考文章:
1.openvpn官方文档:
http://openvpn.net/index.php/open-source/documentation/howto.html#install
2.Ubuntu Server 安装 OpenVPN Server:
http://www.douhua.im/2010/01/06/ubuntu-server-install-openvpn-server/
3.安装配置OpenVPN:
http://pityonline.info/?p=1054
4.Ubuntu 安装 openvpn:
http://space.itpub.net/7201003/viewspace-312657
5.出错信息:UDPv4 [ECONNREFUSED]: Connection refused (code=111)
http://readthefuckingmanual.net/error/383/

http://www.imped.net/oss/misc/openvpn-2.0-howto-edit.html

http://blog.darkices.com/archive/openvpn-server-side-dns-hijacking-to-solve-the-problem-of-pollution-dns.html
http://omobox.com/memo/tunnelier-instead-of-myentunnel.html

http://blog.darkices.com/archive/build-ssh-proxy-on-vps.html#comment-275

检查tun是否开启的命令:
dmesg|grep tun
或者:ls -l /dev/net/tun

参考:http://www.hostloc.com/thread-6106-5-589.html

2010年10月22日

Ubuntu Server 10.04 LTS的Linux上编译安装配置nginx0.8.52

Filed under: Linux,nginx,SSL — 标签:, , , , — lizongbo @ 13:37

Ubuntu Server 10.04 LTS的Linux上安装配置nginx0.8.52

操作系统是linode上的Linux:Ubuntu Server 10.04 LTS。
nginx的最新版本是:0.8.52
http://nginx.org/download/nginx-0.8.52.tar.gz
来源:http://nginx.org/en/download.html
nginx依赖的PCRE库,最新版本是:8.10:
ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.10.tar.gz
来源:ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/
OpenSSL的最新版本是:1.0.0a:
http://www.openssl.org/source/openssl-1.0.0a.tar.gz
来源:http://www.openssl.org/source/
zlib的最新版本是:1.2.5:
http://zlib.net/zlib-1.2.5.tar.gz
在/usr/local目录下创建app目录,所有应用都安装配置到这个目录下面:
root@618119.com:/usr/local# sudo mkdir app
root@618119.com:/usr/local# cd ./app
然后下载安装程序:
root@618119.com:/usr/local/app# wget http://nginx.org/download/nginx-0.8.52.tar.gz
root@618119.com:/usr/local/app# wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.10.tar.gz
root@618119.com:/usr/local/app# wget http://www.openssl.org/source/openssl-1.0.0a.tar.gz
root@618119.com:/usr/local/app# wget http://zlib.net/zlib-1.2.5.tar.gz
再解压压缩包:
root@618119.com:/usr/local/app# tar -zxvf nginx*
root@618119.com:/usr/local/app# tar -zxvf pcre*
root@618119.com:/usr/local/app# tar -zxvf openssl*
root@618119.com:/usr/local/app# tar -zxvf zlib*
由于缺少gcc等编译器,需要先运行:
root@618119.com:/usr/local/app# apt-get install gcc libc6-dev build-essential
进入到nginx解压得到的目录:
root@618119.com:/usr/local/app# cd nginx-*
运行configure命令,将nginx的安装目录设置为/usr/local/app/nginx。
with-http_stub_status_module参数是启用stub_status监控。
root@618119.com:/usr/local/app/nginx-0.8.52#  ./configure –prefix=/usr/local/app/nginx –user=nginx –group=nginx –with-http_ssl_module –with-http_stub_status_module –with-pcre=/usr/local/app/pcre-8.10 –with-openssl=/usr/local/app/openssl-1.0.0a –with-zlib=/usr/local/app/zlib-1.2.5
然后再运行make进行编译:
root@618119.com:/usr/local/app/nginx-0.8.52# make
再运行:make install,
root@618119.com:/usr/local/app/nginx-0.8.52# make install

还需要添加nginx用户组(未添加用户组就启动的话:会提示[emerg]: getpwnam(“nginx”) failed):
root@618119.com:/usr/local/app/nginx# sudo adduser –system –no-create-home –disabled-login –disabled-password –group nginx
进入到nginx的sbin目录用-t参数检查配置文件是否ok:
root@618119.com:/usr/local/app/nginx# cd sbin/
root@618119.com:/usr/local/app/nginx/sbin# sudo ./nginx -t
the configuration file /usr/local/app/nginx/conf/nginx.conf syntax is ok
configuration file /usr/local/app/nginx/conf/nginx.conf test is successful

这样就在linode的VPS上将nginx0.8.52安装好了。
root@618119.com:/usr/local/app/nginx/sbin# ./nginx
[emerg]: bind() to 0.0.0.0:80 failed (13: Permission denied)
root@618119.com:/usr/local/app/nginx/sbin#sudo ./nginx
(不用root启动的话,会提示:[emerg]: bind() to 0.0.0.0:80 failed (13: Permission denied))
启动成功后访问http 80端口可以看到Welcome to nginx!

接下来制作nginx系统服务启动的脚本,参考 http://articles.slicehost.com/2007/10/17/ubuntu-lts-adding-an-nginx-init-script

#! /bin/sh

### BEGIN INIT INFO
# Provides: nginx
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: starts the nginx web server
# Description: starts nginx using start-stop-daemon
### END INIT INFO

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/local/app/nginx/sbin/nginx
NAME=nginx
DESC=nginx

test -x $DAEMON || exit 0

# Include nginx defaults if available
if [ -f /etc/default/nginx ] ; then
. /etc/default/nginx
fi

set -e

case “$1” in
start)
echo -n “Starting $DESC: ”
start-stop-daemon –start –quiet –pidfile /usr/local/app/nginx/logs/$NAME.pid \
–exec $DAEMON — $DAEMON_OPTS
echo “$NAME.”
;;
stop)
echo -n “Stopping $DESC: ”
start-stop-daemon –stop –quiet –pidfile /usr/local/app/nginx/logs/$NAME.pid \
–exec $DAEMON
echo “$NAME.”
;;
restart|force-reload)
echo -n “Restarting $DESC: ”
start-stop-daemon –stop –quiet –pidfile \
/usr/local/app/nginx/logs/$NAME.pid –exec $DAEMON
sleep 1
start-stop-daemon –start –quiet –pidfile \
/usr/local/app/nginx/logs/$NAME.pid –exec $DAEMON — $DAEMON_OPTS
echo “$NAME.”
;;
reload)
echo -n “Reloading $DESC configuration: ”
start-stop-daemon –stop –signal HUP –quiet –pidfile /usr/local/app/nginx/logs/$NAME.pid \
–exec $DAEMON
echo “$NAME.”
;;
*)
N=/etc/init.d/$NAME
echo “Usage: $N {start|stop|restart|force-reload}” >&2
exit 1
;;
esac

exit 0

再运行命令: sudo /usr/sbin/update-rc.d -f nginx defaults,将nginx安装为默认服务。

这样在linode里对Ubuntu重启之后,nginx服务也自动启动了。

2007年10月26日

配置windows下的curl来获取https页面内容

Filed under: Web Server — 标签:, , , — lizongbo @ 14:05

刚刚看到了javayou提到了可以在windows下使用的curl命令,
http://www.javayou.com/html/diary/showlog.vm?sid=2&log_id=13985

于是下载了支持ssl的curl来使用:
下载连接为: http://www.execve.net/curl/curl-7.17.0-win32-ssl.zip

解压到D:\Programs\curl-7.17.0
下载OpenSSL组件:
http://618119.com/OpenSSL/libeay32.dll
http://618119.com/OpenSSL/libssl32.dll
将libssl32.dll和libeay32.dll复制到D:\Programs\curl-7.17.0,

否则运行curl.exe会被提示:

—————————
curl.exe – 无法找到组件
—————————
没有找到 libeay32.dll,因此这个应用程序未能启动。重新安装应用程序可能会修复此问题。
—————————
确定
—————————

—————————
curl.exe – 无法找到组件
—————————
没有找到 libssl32.dll,因此这个应用程序未能启动。重新安装应用程序可能会修复此问题。
—————————
确定
—————————
(参考: http://618119.com/archives/2007/10/26/15.html)
如果需要连接的网站使用的证书不是操作系统已经信任的证书,则需要指定ca根证书文件.
并且服务器的证书CN必须与url里的host一致,否则无法下载.

测试命令示例如下:

curl https://www.google.com/

curl https://www.618119.com/

curl https://lizongbo.618119.com/ –cacert ca.crt

D:\Programs\curl-7.17.0>curl https://www.google.com/
<HTML><HEAD><meta http-equiv=”content-type” content=”text/html;charset=utf-8″>
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A href=”http://www.google.com”>here</A>.
</BODY></HTML>

D:\Programs\curl-7.17.0>curl https://618119.com/
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify faile
d
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). The default
bundle is named curl-ca-bundle.crt; you can specify an alternate file
using the –cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or –insecure) option.

D:\Programs\curl-7.17.0>curl https://lizongbo.618119.com/ –cacert ca.crt
curl: (51) SSL: certificate subject name ‘618119.com’ does not match target host name ‘lizongbo.618119.com’

Older Posts »

Powered by WordPress