casaos — b14esh.com

Ссылки

https://casaos.zimaspace.com/
https://github.com/IceWhaleTech/CasaOS

1 2	https://casaos.zimaspace.com/ https://github.com/IceWhaleTech/CasaOS

Установка:

0. Обновляем source.list и  ставим пакеты

# debian12
vim /etc/apt/sources.list 
-------------------------
deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
deb-src http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware

deb http://deb.debian.org/debian-security/ bookworm-security main contrib non-free non-free-firmware
deb-src http://deb.debian.org/debian-security/ bookworm-security main contrib non-free non-free-firmware

deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
deb-src http://deb.debian.org/debian bookworm-updates main contrib  non-free non-free-firmware

deb http://deb.debian.org/debian bookworm-backports main contrib non-free non-free-firmware
deb-src http://deb.debian.org/debian bookworm-backports main contrib non-free non-free-firmware
-------------------------

apt update
apt install sudo vim curl  qemu-kvm libvirt-daemon-system ovmf  virtinst openvswitch-switch bridge-utils  rsync openssl






1. Создаем юзера
adduser user1
usermod -aG sudo user1

2. Редактируем судоерс, находим блок и редактируем его добавив "user1  ALL=(ALL:ALL) NOPASSWD: ALL"
visudo 
------
# User privilege specification
root    ALL=(ALL:ALL) ALL
# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
user1  ALL=(ALL:ALL) NOPASSWD: ALL
------

3. Ставим casaos под пользователем user1 
su user1
curl -fsSL https://get.casaos.io | sudo bash

0. Обновляем source.list и ставим пакеты

# debian12

vim /etc/apt/sources.list

-------------------------

deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware

deb-src http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware

deb http://deb.debian.org/debian-security/ bookworm-security main contrib non-free non-free-firmware

deb-src http://deb.debian.org/debian-security/ bookworm-security main contrib non-free non-free-firmware

deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware

deb-src http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware

deb http://deb.debian.org/debian bookworm-backports main contrib non-free non-free-firmware

deb-src http://deb.debian.org/debian bookworm-backports main contrib non-free non-free-firmware

-------------------------

apt update

apt install sudo vim curl qemu-kvm libvirt-daemon-system ovmf virtinst openvswitch-switch bridge-utils rsync openssl

1. Создаем юзера

adduser user1

usermod -aG sudo user1

2. Редактируем судоерс, находим блок и редактируем его добавив "user1 ALL=(ALL:ALL) NOPASSWD: ALL"

visudo

------

# User privilege specification

root ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command

%sudo ALL=(ALL:ALL) ALL

user1 ALL=(ALL:ALL) NOPASSWD: ALL

------

3. Ставим casaos под пользователем user1

su user1

curl -fsSL https://get.casaos.io | sudo bash

https to http proxy / используем само подписанный сертификат

0. Ставим nginx
apt install nginx
Остановим его пока что 
systemctl stop nginx

1. Генерируем сертификаты, увеличиваем кол-во дней жизни сертификата
На все вопросы жмем Enter 
#openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
openssl req -x509 -nodes -days 10000 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

Генерируем ДХ
openssl dhparam -out /etc/nginx/dhparam.pem 4096

2. Приводим конфиг примерно к такому виду
vim /etc/nginx/sites-available/default
--------------------------------------
# Default server configuration
server {
        listen 555 default_server;
        root /var/www/html;
        index index.html index.htm index.nginx-debian.html;

        server_name _;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }
}

#ssl_protocols TLSv1.2;
#ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling off; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable strict transport security for now. You can uncomment the following
# line if you understand the implications.
# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";


server {
  listen 443 ssl;
  #server_name casaos.b14esh.com;
  server_name 192.168.15.100;

  ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
  ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

  location / {
    proxy_pass http://192.168.15.100:8080;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}


server {
        listen 10082 ssl;
        #server_name b14esh.com;
        server_name 192.168.15.100;

        client_max_body_size 32G;
        client_body_timeout 300s;
        fastcgi_buffers 64 4K;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

        ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
        ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

        location / {
        proxy_pass http://192.168.15.100:10081;
        }
}
root@hsrv0:/DATA/AppData/nextcloud/var/www/html# vim /etc/nginx/sites-available/default
root@hsrv0:/DATA/AppData/nextcloud/var/www/html# systemctl stop  nginx
root@hsrv0:/DATA/AppData/nextcloud/var/www/html# systemctl start  nginx
root@hsrv0:/DATA/AppData/nextcloud/var/www/html# cat  /etc/nginx/sites-available/default
# Default server configuration
server {
        listen 555 default_server;
        root /var/www/html;
        index index.html index.htm index.nginx-debian.html;

        server_name _;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }
}

#ssl_protocols TLSv1.2;
#ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling off; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable strict transport security for now. You can uncomment the following
# line if you understand the implications.
# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";


server {
  listen 443 ssl;
  #server_name casaos.b14esh.com;
  server_name 192.168.15.100;

  ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
  ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

  location / {
    proxy_pass http://192.168.15.100:8080;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}


server {
        listen 10082 ssl;
        #server_name b14esh.com;
        server_name 192.168.15.100;

        client_max_body_size 32G;
        client_body_timeout 300s;
        fastcgi_buffers 64 4K;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

        ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
        ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

        location / {
        proxy_pass http://192.168.15.100:10081;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
}

--------------------------------------

Запускаем nginx 
systemctl start nginx

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

0. Ставим nginx

apt install nginx

Остановим его пока что

systemctl stop nginx

1. Генерируем сертификаты, увеличиваем кол-во дней жизни сертификата

На все вопросы жмем Enter

#openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

openssl req -x509 -nodes -days 10000 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

Генерируем ДХ

openssl dhparam -out /etc/nginx/dhparam.pem 4096

2. Приводим конфиг примерно к такому виду

vim /etc/nginx/sites-available/default

--------------------------------------

# Default server configuration

server {

listen 555 default_server;

root /var/www/html;

index index.html index.htm index.nginx-debian.html;

server_name _;

location / {

# First attempt to serve request as file, then

# as directory, then fall back to displaying a 404.

try_files $uri $uri/ =404;

}

#ssl_protocols TLSv1.2;

#ssl_prefer_server_ciphers on;

ssl_dhparam /etc/nginx/dhparam.pem;

ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;

ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0

ssl_session_timeout 10m;

ssl_session_cache shared:SSL:10m;

ssl_session_tickets off; # Requires nginx >= 1.5.9

ssl_stapling off; # Requires nginx >= 1.3.7

ssl_stapling_verify on; # Requires nginx => 1.3.7

resolver 8.8.8.8 8.8.4.4 valid=300s;

resolver_timeout 5s;

# Disable strict transport security for now. You can uncomment the following

# line if you understand the implications.

# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

add_header X-Frame-Options DENY;

add_header X-Content-Type-Options nosniff;

add_header X-XSS-Protection "1; mode=block";

server {

listen 443 ssl;

#server_name casaos.b14esh.com;

server_name 192.168.15.100;

ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;

ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

location / {

proxy_pass http://192.168.15.100:8080;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

server {

listen 10082 ssl;

#server_name b14esh.com;

server_name 192.168.15.100;

client_max_body_size 32G;

client_body_timeout 300s;

fastcgi_buffers 64 4K;

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;

ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

location / {

proxy_pass http://192.168.15.100:10081;

}

root@hsrv0:/DATA/AppData/nextcloud/var/www/html# vim /etc/nginx/sites-available/default

root@hsrv0:/DATA/AppData/nextcloud/var/www/html# systemctl stop nginx

root@hsrv0:/DATA/AppData/nextcloud/var/www/html# systemctl start nginx

root@hsrv0:/DATA/AppData/nextcloud/var/www/html# cat /etc/nginx/sites-available/default

# Default server configuration

server {

listen 555 default_server;

root /var/www/html;

index index.html index.htm index.nginx-debian.html;

server_name _;

location / {

# First attempt to serve request as file, then

# as directory, then fall back to displaying a 404.

try_files $uri $uri/ =404;

}

#ssl_protocols TLSv1.2;

#ssl_prefer_server_ciphers on;

ssl_dhparam /etc/nginx/dhparam.pem;

ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;

ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0

ssl_session_timeout 10m;

ssl_session_cache shared:SSL:10m;

ssl_session_tickets off; # Requires nginx >= 1.5.9

ssl_stapling off; # Requires nginx >= 1.3.7

ssl_stapling_verify on; # Requires nginx => 1.3.7

resolver 8.8.8.8 8.8.4.4 valid=300s;

resolver_timeout 5s;

# Disable strict transport security for now. You can uncomment the following

# line if you understand the implications.

# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

add_header X-Frame-Options DENY;

add_header X-Content-Type-Options nosniff;

add_header X-XSS-Protection "1; mode=block";

server {

listen 443 ssl;

#server_name casaos.b14esh.com;

server_name 192.168.15.100;

ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;

ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

location / {

proxy_pass http://192.168.15.100:8080;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

server {

listen 10082 ssl;

#server_name b14esh.com;

server_name 192.168.15.100;

client_max_body_size 32G;

client_body_timeout 300s;

fastcgi_buffers 64 4K;

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;

ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

location / {

proxy_pass http://192.168.15.100:10081;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

--------------------------------------

Запускаем nginx

systemctl start nginx