搭建一些开源的工具服务

DoH服务

• 链接：
  • dnscrypt-proxy
  • Installation on Debian and Ubuntu
  • Local-DoH
  • DNS服务器列表
• 使用DoH(Dns Over HTTPS)服务,可以处理一部分网站不可访问的问题。

~$ apt-get install dnscrypt-proxy -y

• Open the file/etc/dnscrypt-proxy/dnscrypt-proxy.tomlin your favorite editor. Find the general section and change the server_namesvariable.

server_names = ['cloudflare']

• And change the nameserver inside /etc/resolv.conf.

  ~$ cat /etc/resolv.conf
  # Generated by dhcpcd
  nameserver 127.0.0.1

NextCloud

• 简介

  • Nextcloud offers the industry-leading, on-premises content collaboration platform.
    Our technology combines the convenience and ease of use of consumer-grade solutions
    like Dropbox and Google Drive with the security, privacy and control business needs.

• 链接:

  • nextcloud
  • github
  • hub.docker
  • HowTo: Ubuntu + Docker + Nextcloud + Talk + Collabora
  • Nextcloud + Raspberry Pi + Docker + Onion service =
  • p2pcf

Docker-compose搭建nextcloud+collabora/code(无HTTPS)

• CODE Docker image

• 6 Docker Compose Best Practices for Dev and Prod

• 目录结构

  nextcloud$ tree -L 2
  .
  ├── db-data [error opening dir]
  ├── docker-compose.yml
  └── volumes
      ├── config
      ├── custom_apps
      ├── data
      ├── html
      └── theme
  
  7 directories, 1 file

• docker-compose.yml

nextcloud$ cat docker-compose.yml
version: "3"
services:
  pg11:
    image: postgres:11-alpine
    environment:
      POSTGRES_DB: ${DB_NAME}
      POSTGRES_PASSWORD: ${DB_PASS}
      POSTGRES_USER: ${DB_USER}
    logging:
      driver: "none"
    restart: unless-stopped
    volumes:
      - ./db-data:/var/lib/postgresql/data
    env_file:
      - ./.env

  collabora:
    image: collabora/code:latest
    restart: always
    environment:
      - username=${ADM_USER}
      - password=${ADM_PASS}
      # 注意下面这一行参数很重要.
      - "extra_params=--o:ssl.enable=false --o:net.post_allow.host=192.168.1.100 --o:storage.wopi.host=192.168.1.100 --o:ssl.termination=false"
    ports:
      - "9080:9980"
    cap_add:
      - MKNOD
    env_file:
      - ./.env
    volumes:
      - /etc/hosts:/etc/hosts:ro

  nextcloud:
    image: nextcloud
    restart: unless-stopped
    depends_on:
      - pg11
    cap_add:
      - MKNOD
      - ALL
    volumes:
      - ./volumes/html:/var/www/html
      - ./volumes/config:/var/www/html/config
      - ./volumes/custom_apps:/var/www/html/custom_apps
      - ./volumes/data:/var/www/html/data
      - ./volumes/theme:/var/www/html/themes
      - /etc/localtime:/etc/localtime:ro
      - /etc/hosts:/etc/hosts:ro
    ports:
      - 8080:80

• 如果安装nextcloud是没有开启HTTPS访问的,就无法在http://cloud.domain.im/settings/apps页面里显示可安装的插件列表.这里也可以自己手动从https://apps.nextcloud.com下载插件包,手动解压到nextcloud/html/apps里,再启用它,就可以像是在线安装的那样使用了.并且如上面所示,需要在本机的/etc/hosts内加入一条如：192.168.1.100 cloud.domain.im这样的记录,并且把它挂载到容器中去,这样可以使用域名来测试,用域名来生成安全证书.

• 安装Collabora Online服务器功能

  ~$ wget -c https://github.com/nextcloud-releases/richdocuments/releases/download/v5.0.3/richdocuments-v5.0.3.tar.gz
  ~$ wget -c https://github.com/CollaboraOnline/richdocumentscode/releases/download/21.11.306/richdocumentscode.tar.gz
  ~$ cd volumes/html/apps
  ~$ tar xvf *.gz && sudo chown www-data:www-data -R richdocuments richdocumentscode

• 配置Collabora Online服务器的URL.

  • 打开http://cloud.domain.im:8080/settings/admin/richdocuments页,选择Use your own server,这里填入http:://cloud.domain.im:9080后,按Save保存配置,如果上面的状态显示绿色的钩,并且显示Collabora Online server is reachable.表示已经连接到服务器了.

• 现在进去到网盘目录里,如果能打开docx,odt这样的文件,表示安装成功,Collaboar Online

• 打开http://cloud.domain.im:9080/browser/dist/admin/admin.html会有服务器相关的管理监控信息.网盘里当前被Collabora Online打开编辑文件,也会显示在Documents open的列表内.

Self-Signed HTTPS版本

• Proxy settings

• 整个工程目录结构如下：

nextcloud$ tree -L 2
.
├── collabora
│   └── coolwsd.xml
├── create_self-sign-tls.sh
├── db-data [error opening dir]
├── docker-compose.yml
├── nginx
│   ├── certs
│   ├── nginx.conf
│   ├── sites-enabled
│   └── ssl
└── volumes
    ├── config
    ├── custom_apps
    ├── data
    ├── html
    └── theme

12 directories, 4 files

• nginx挂载目录结构如下

nextcloud$ tree nginx/
nginx/
├── certs
│   ├── cloud.domain.im.crt
│   └── cloud.domain.im.key
├── nginx.conf
├── sites-enabled
│   └── nextcloud.conf
└── ssl
    └── dhparam.pem

3 directories, 5 files

• nginx全局主配置文件.

  nextcloud$ cat nginx/nginx.conf
  user  nginx;
  worker_processes  1;
  error_log /var/log/nginx/error.log warn;
  pid /var/run/nginx.pid;
  events {
    worker_connections  2048;
    multi_accept        on;
  }
  error_log syslog:server=unix:/dev/log,facility=local6,tag=nginx,severity=error;
  http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
      '$status $body_bytes_sent "$http_referer" '
      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    index index.html index.htm;
    charset utf-8;
    server_tokens off;
    autoindex off;
    client_max_body_size 512m;
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    sendfile_max_chunk  51200k;
    tcp_nopush   on;
    tcp_nodelay  on;
    open_file_cache           max=1000 inactive=20s;
    open_file_cache_valid     30s;
    open_file_cache_min_uses  2;
    open_file_cache_errors    off;
    ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_tickets off;
    ssl_session_cache         shared:SSL:50m;
    ssl_session_timeout       10m;
    ssl_stapling              off;
    ssl_stapling_verify       off;
    resolver                  8.8.8.8 8.8.4.4;  # replace with `127.0.0.1` if you have a local dns server
    ssl_prefer_server_ciphers on;
    ssl_dhparam               ssl/dhparam.pem;  # openssl dhparam -out ssl/dhparam.pem 4096
    gzip               on;
    gzip_disable       msie6;
    gzip_vary          on;
    gzip_proxied       any;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
    include conf.d/*.conf;
    include sites-enabled/*.conf;
   }

• nextcloud站点代理配置文件

nextcloud$ cat nginx/sites-enabled/nextcloud.conf
server {
    listen 80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name cloud.domain.im;

    client_max_body_size 0;
    underscores_in_headers on;

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        add_header Front-End-Https on;

        proxy_headers_hash_max_size 512;
        proxy_headers_hash_bucket_size 64;

        proxy_buffering off;
        proxy_redirect off;
        proxy_max_temp_file_size 0;
        proxy_pass http://cloud.domain.im:8880;
    }

    # static files
    location ^~ /browser {
        proxy_pass https://cloud.domain.im:9980;
        proxy_set_header Host $http_host;
    }

    # WOPI discovery URL
    location ^~ /hosting/discovery {
      proxy_pass https://cloud.domain.im:9980;
      proxy_set_header Host $http_host;
    }

    # Capabilities
    location ^~ /hosting/capabilities {
      proxy_pass https://cloud.domain.im:9980;
      proxy_set_header Host $http_host;
    }

    # main websocket
    location ~ ^/cool/(.*)/ws$ {
      proxy_pass https://cloud.domain.im:9980;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "Upgrade";
      proxy_set_header Host $http_host;
      proxy_read_timeout 36000s;
    }

    # download, presentation and image upload
    location ~ ^/(c|l)ool {
      proxy_pass https://cloud.domain.im:9980;
      proxy_set_header Host $http_host;
    }

    # Admin Console websocket
    location ^~ /cool/adminws {
      proxy_pass https://cloud.domain.im:9980;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "Upgrade";
      proxy_set_header Host $http_host;
      proxy_read_timeout 36000s;
    }

  ssl_certificate     /etc/nginx/certs/cloud.domain.im.crt;
  ssl_certificate_key /etc/nginx/certs/cloud.domain.im.key;
}

• 这里用一键openssl脚本,创建自签名的证书.

nextcloud$ cat create_self-sign-tls.sh
DOMAIN=$1
[[ -e nginx/ssl ]] && mkdir -pv nginx/ssl
DHP=./nginx/ssl/dhparam.pem
openssl dhparam -out $DHP 2048
[[ -e nginx/certs ]] && mkdir -pv nginx/certs
KEY=./nginx/certs/${DOMAIN}.key
CRT=./nginx/certs/${DOMAIN}.crt
openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=US/ST=NC/L=Local/O=Dev/CN=${DOMAIN}" -keyout $KEY -out $CRT

• 一键创建自签名TLS证书脚本

#!/bin/bash

#
# If you using frp via IP address and not hostname, make sure to set the appropriate IP address in the Subject Alternative Name (SAN) area when generating SSL/TLS Certificates.

DAYS=5000
export DOMAIN=$1
if [ ! -d "$DOMAIN" ]; then
  echo "not domain name, default : example.com";
  DOMAIN="example.com"
fi
rm -rf $DOMAIN
[ ! -d $DOMAIN ] && mkdir  $DOMAIN && cd $DOMAIN

cat > my-openssl.cnf << EOF
[ ca ]
default_ca = CA_default
[ CA_default ]
x509_extensions = usr_cert
[ req ]
default_bits        = 2048
default_md          = sha256
default_keyfile     = privkey.pem
distinguished_name  = req_distinguished_name
attributes          = req_attributes
x509_extensions     = v3_ca
string_mask         = utf8only
prompt              = no
[ req_distinguished_name ]
C  = US
ST = VA
L  = SomeCity
O  = MyCompany
OU = MyDivision
CN = ${DOMAIN}
[ req_attributes ]
[ usr_cert ]
basicConstraints       = CA:FALSE
nsComment              = "OpenSSL Generated Certificate"
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
[ v3_ca ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints       = CA:true
EOF


# build ca certificates

echo "---> build ca certificates"
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -subj "/CN=${DOMAIN}" -days ${DAYS} -out ca.crt


# build frps server side certificates

mkdir server
echo "---> build frps server side certificates"
openssl genrsa -out server/server.key 2048

openssl req -new -sha256 -key server/server.key -out server/server.csr -config my-openssl.cnf

openssl x509 -req -days ${DAYS} \
	-in server/server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
  -extfile <(printf "subjectAltName=IP:127.0.0.1") \
  -out server/server.crt

# build frpc client side  certificates

echo "---> build frpc client side  certificates"
mkdir client
openssl genrsa -out client/client.key 2048
openssl req -new -sha256 -key client/client.key -out client/client.csr -config my-openssl.cnf

openssl x509 -req -days ${DAYS} \
    -in client/client.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
    -extfile <(printf "subjectAltName=IP:127.0.0.1") \
    -out client/client.crt

cp ca.crt server/ca.crt
mv ca.crt client/ca.crt
rm ca.key ca.srl client/client.csr server/server.csr

echo "create Certificates done!!!!"
echo "verify the server Certificates"

cd server
openssl verify -CAfile ca.crt  server.crt
cd ../client
openssl verify -CAfile ca.crt  client.crt
chmod 644 client/client.key server/server.key

• 最终docker-compose的文件

nextcloud$ cat docker-compose.yml
version: "3"
services:
  nginx:
    image: nginx:latest
    volumes:
      - ./nginx/nginx.conf:/etc/nginx/nginx.conf
      - ./nginx/ssl/dhparam.pem:/etc/nginx/ssl/dhparam.pem
      - ./nginx/certs:/etc/nginx/certs
      - ./nginx/sites-enabled:/etc/nginx/sites-enabled
      - /etc/hosts:/etc/hosts:ro
    ports:
      - 80:80
      - 443:443
    environment:
     - SITE_DOMAIN=cloud.domain.im
    depends_on:
     - nextcloud

  pg11:
    image: postgres:11-alpine
    environment:
      POSTGRES_DB: db3
      POSTGRES_PASSWORD: rocks
      POSTGRES_USER: cloudjs
    logging:
      driver: "none"
    restart: unless-stopped
    volumes:
      - ./db-data:/var/lib/postgresql/data

  collabora:
    image: collabora/code:latest
    restart: always
    environment:
      - username=admin
      - password=admin
      - cert_domain=cloud.domain.im
      - "extra_params=--o:ssl.enable=true --o:net.post_allow.host=192.168.1.100 --o:storage.wopi.host=192.168.1.100 --o:ssl.termination=true"
    ports:
      - "9980:9980"
    cap_add:
      - MKNOD
    volumes:
      - /etc/hosts:/etc/hosts:ro
      - ./collabora/coolwsd.xml:/etc/coolwsd/coolwsd.xml

  nextcloud:
    image: nextcloud
    restart: unless-stopped
    depends_on:
      - pg11
    cap_add:
      - MKNOD
    volumes:
      - ./volumes/html:/var/www/html
      - ./volumes/config:/var/www/html/config
      - ./volumes/custom_apps:/var/www/html/custom_apps
      - ./volumes/data:/var/www/html/data
      - ./volumes/theme:/var/www/html/themes
      - /etc/localtime:/etc/localtime:ro
      - /etc/hosts:/etc/hosts:ro
    ports:
      - 8880:80

• 如上面的文件所示,还需要修改collabora/code内默认的配置文件,这里是先从运行容器中复制一份源文件出来,修改后再用挂载的方式,覆盖容器内的配置.

nextcloud$ docker cp <container ID>:/etc/coolwsd/coolwsd.xml ./collabora/coolwsd.xml
nextcloud$ chmod 755 ./collabora/coolwsd.xml

• 打开coolwsd.xml,并找到server_name这个节点,设置值为：cloud.domain.im. 具体如下：

nextcloud$ cat collabora/coolwsd.xml
[...]
<server_name desc="External hostname:port of the server running coolwsd. If empty, it's derived from the request (please set it if this doesn't work). May be specified when behind a reverse-proxy or when the hostname is not reachable directly." type="string" default="">cloud.domain.im</server_name>
[...]

• 在测试时发,如果没有上述coolwsd.xml的修改,就无法使Collabora Online打开文件编辑,日志中报出如下错误.

  wsd-00001-00039 2022-04-22 15:52:33.479492 +0000 [ websrv_poll ] ERR  #29 Error while handling poll at 0 in websrv_poll: #29BIO error: 0, rc: -1: error:00000000:lib(0):func(0):reason(0):| net/Socket.cpp:467

• 因为是使用nginx做HTTPS代理,还需要对nextcloud/config/config.php修改,加入'overwriteprotocol' => 'https',,重定项跳转.

nextcloud$ sudo cat volumes/config/config.php
[...]
  'overwriteprotocol' => 'https',
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'pgsql',
  'version' => '23.0.3.2',
  'overwrite.cli.url' => 'http://cloud.domain.im',
  'dbname' => 'db3',
  'dbhost' => 'pg11',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'oc_lcy',
  'appstoreenabled' => true,
  'appstoreurl' => 'https://apps.nextcloud.com/api/v1',
  'installed' => true,
);

Docker安装

• nextcloud/docker
• 这里是个人使用,所以对数据库没有什么特殊要求,就使用sqlite,但是安全方面还是要使用HTTPS,使用docker安装.

~$ docker images | grep "nextcloud" || docker pull nextcloud
~$ if [ ! -d nextcloud ]; then
    mkdir -pv nextcloud/{nextcloud,config,custom_apps,data,theme}
   fi
~$ cd nextcloud && docker run -d --restart=always --name nextcloud -p 8443:443  \
    -v nextcloud:/var/www/html \
    -v config:/var/www/html/config \
    -v custom_apps:/var/www/html/custom_apps \
    -v data:/var/www/html/data \
    -v theme:/var/www/html/themes \
    -v /etc/localtime:/etc/localtime:ro \
    nextcloud

• 下面是docker安装运行sqlite数据库，通过cloudflare tunnel对外提供访问，没有配置nginx之类的代理。

<?php
$CONFIG = array (
  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' =>
  array (
    0 =>
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 =>
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'instanceid' => 'xxxxxx',
  'passwordsalt' => 'xxxxxx',
  'secret' => 'xxxxxx',
  'trusted_domains' =>
  array (
    0 => '192.168.1.182',
    1 => 'mycloud.example.com',
  ),
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'sqlite3',
  'version' => '26.0.2.1',
  'overwrite.cli.url' => 'https://mycloud.example.com/',
  'overwritehost' => '',
  'overwriteprotocol' => 'https',
  'installed' => true,
);

• 需要配置的参数有以下个:
  • trusted_domains:
  • overwrite.cli.url: https://mycloud.example.com/
  • overwritehost: ‘’,
  • overwriteprotocol: ‘https’, 因为tunnel对外提供的访问是https.

Dokku安装

• ngx_stream_ssl_preread_module

安装Plugins

~$ sudo dokku plugin:install https://github.com/dokku/dokku-letsencrypt.git
~$ sudo dokku plugin:install https://github.com/dokku/dokku-postgres.git postgres

安装

~$ dokku apps:create mycloud
~$ docker pull nextcloud
~$ docker images
REPOSITORY             TAG       IMAGE ID       CREATED         SIZE
nextcloud              latest    7aa569922593   11 hours ago    835MB

# Note: The image must be retagged `dokku/<app-name>:<version>`
~$ docker tag nextcloud:latest dokku/mycloud:latest

~$ sudo mkdir -p /var/lib/dokku/data/storage/mycloud
~$ sudo chown -R dokku:dokku /var/lib/dokku/data/storage/mycloud
~$ dokku storage:mount mycloud /var/lib/dokku/data/storage/mycloud:/var/www/html
~$ dokku tags:deploy mycloud latest

• 链接数据库,运行下面操作后,打开浏览器,进入首次配置管理员与数据库类型(Storage & database)的配置,默认是SQLite.

  ~$ dokku postgres:create mycloud_db
  ~$ dokku postgres:link mycloud_db mycloud

• 设置域名,域名是主要是为了使用Let's Encrypt,还有就是SNI的功能,这里没有注册域名,使用了dynv6.net的动态域名.

  ~$ dokku domains:add mycloud  nc.llccyy.dynv6.net
  ~$ dokku domains:remove mycloud mycloud.localhost
  ~$ dokku config:set mycloud --no-restart DOKKU_LETSENCRYPT_EMAIL=yjdwbj@gmail.com
  ~$ dokku letsencrypt mycloud

• 获取证书错误:

darkhttpd/1.12, copyright (c) 2003-2016 Emil Mikulic.
listening on: http://0.0.0.0:80/
2021-02-28 08:15:08,915:INFO:__main__:1406: Generating new certificate private key
2021-02-28 08:15:32,772:ERROR:__main__:1388: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/11204345532
Challenge validation has failed, see error log.

Debugging tips: -v improves output verbosity. Help is available under --help.
-----> Certificate retrieval failed!
-----> Disabling ACME proxy for fpm...
       done

• 出现上面的问题,基本就是DNS A记录的问题,不能解析域名,也有可能是域名服务商的问题,在使用dynv6.com的服务是有碰到这种问题,有时不作任改动,过一段时间重试又可以了.也可以尝试使用其它的DDNS.
• 在dokku中使用Let's Encrypt获取证书,有几点要求注意的点:
  • 必须要有一个域名(有A或AAAA记录),二级动态域名也可.
  • DOKKU_DOCKERFILE_PORTS: 80/tcp,必须是80端口.如:nextcloud:latest是80/tcp,nextcloud:nextcloud:fpm-alpine它是9000/tcp,而且nextcloud:fpm-alpine only a php fpm instance without a web server.所以,使用nextcloud:latest创建的应用是可以正确的获取证书.
  • 如果DOKKU_DOCKERFILE_PORTS不是80端口,可以使用dokku proxy:ports-set <APP> http:80:9000先设置要代理,再申请获取证书.
• 如果是从Docker Images去创建的app,也就是用dokku tags:deploy <appname> latest部署的,可以使用下面docker命令查看它所支持的资源
  与Exposed的详情.

~$ docker inspect <appname>.web.1 | jq ".[0].Config.ExposedPorts"

• 或者直接查看镜像的配置详情

  ~$ docker image inspect <image tag> | jq '.[0].Config.ExposedPorts'

• 设置上传文件限制
• nginx configuration

~$ dokku nginx:set mycloud  client-max-body-size 100m
~$ dokku nginx:show-config mycloud

影音视频

jellyfin媒体中心

• jellyfin
• Hardware Acceleration

~$ docker pull jellyfin/jellyfin
~$ docker run  -d  -p 8096:8096 --name jellyfin   -v `pwd`/jellyfin/config:/config  -v `pwd`/jellyfin/cache:/cache  -v `pwd`/Incoming:/media  --restart=unless-stopped docker.io/jellyfin/jellyfin:latest

KODI(XMBC)

• kodi

• kodi非常强支持非常的多的系统平台,如果是小米电视2，因为它是深度定制的android 4.3,所以最高版本只能安装kodi-16.1-Jarvis-armeabi-v7a.apk,这版本，很多内置的Add-ons已经失效，且有很多的插件也是失效，比如: jellyfin-kodi的插件就是无法使用，但是用它与minidlna配合还是很好的，只少比SMBFS的体验要好。

本地收藏夹服务

• sissbruecker/linkding

PDF转文本OCR

poppler-utils

• 下面是以一个日文说明书为例,pdftotext无法转码，显示乱码，pdftohtml显示版权问题。

~$ sudo apt-get install poppler-utils
~$ pdftotext  ~/Downloads/SDFA.pdf target.txt
~$ pdftohtml  ~/Downloads/SDFA.pdf target.html
Permission Error: Copying of text from this document is not allowed.

ocrmypdf

• ocrmypdf也是不能转换加密后的PDF

~$ sudo apt-get install ocrmypdf
~$ ocrmypdf ~/Downloads/SDFA.pdf  -l jpn test.txt
EncryptedPdfError: Input PDF is encrypted. The encryption must be removed to
perform OCR.

For information about this PDF\'s security use
    qpdf --show-encryption infilename

You can remove the encryption using
    qpdf --decrypt [--password=[password]] infilename

Tesseract

~$ dpkg -l | grep "tesseract"
ii  libtesseract-dev:amd64                                      4.1.1-2.1                                                 amd64        Development files for the tesseract command line OCR tool
ii  libtesseract4:amd64                                         4.1.1-2.1                                                 amd64        Tesseract OCR library
ii  tesseract-ocr                                               4.1.1-2.1                                                 amd64        Tesseract command line OCR tool
ii  tesseract-ocr-chi-sim                                       1:4.00~git30-7274cfa-1.1                                  all          tesseract-ocr language files for Chinese - Simplified
ii  tesseract-ocr-cym                                           1:4.00~git30-7274cfa-1.1                                  all          tesseract-ocr language files for Welsh
ii  tesseract-ocr-dev                                           3.04.01-5                                                 all          transitional dummy package
ii  tesseract-ocr-eng                                           1:4.00~git30-7274cfa-1.1                                  all          tesseract-ocr language files for English
ii  tesseract-ocr-equ                                           3.04.00-1                                                 all          tesseract-ocr language files for equations
ii  tesseract-ocr-jpn                                           1:4.00~git30-7274cfa-1.1                                  all          tesseract-ocr language files for Japanese
ii  tesseract-ocr-osd                                           1:4.00~git30-7274cfa-1.1                                  all          tesseract-ocr language files for script and orientation

• Tesseract不支持对PDF文件进行识别

  ~$ tesseract ~/Downloads/SDFA.pdf ttt --dpi 150
  Tesseract Open Source OCR Engine v4.1.1 with Leptonica
  Error in pixReadStream: Pdf reading is not supported
  Error in pixRead: pix not read
  Error during processing.

• 先把它转成一张张png,

~$ pdftoppm -png ~/Downloads/SDFA.pdf turing
~$ ls turing-*.png
turing-1.png  turing-2.png  turing-3.png  turing-4.png  turing-5.png

• 安装目标语言包

  ~$ tesseract  --list-langs
  List of available languages (5):
  chi_sim
  cym
  eng
  jpn
  osd
  
  ~$ tesseract turing-2.png turing -l jpn --dpi 150

• 输出turing.txt的文本文件。

Frog

• TenderOwl/Frog/Extract text from any image, video, QR Code and etc.

离线wiki

• 链接：
  • ZIM_file_format
  • Zim file Readers
  • Zim file download center
  • Wikipedia:Database download

Kiwix

• Kiwix

• 源码编译

~$ sudo apt-get install libxapian-dev libpugixml-dev

• kiwix/libkiwix

• Mustache

  ~$ git clone https://github.com/kainjow/Mustache

• 先安装libkiwix

~$ git clone https://github.com/kiwix/libkiwix
~$ cd libkiwix
~$ cat >build.patch<<EOF
index fca77ec..5111206 100644
--- a/meson.build
+++ b/meson.build
@@ -28,9 +28,9 @@ zlib_dep = dependency('zlib', static:static_deps)
 xapian_dep = dependency('xapian-core', static:static_deps)

 if compiler.has_header('mustache.hpp')
-  extra_include = []
-elif compiler.has_header('mustache.hpp', args: '-I/usr/include/kainjow')
-  extra_include = ['/usr/include/kainjow']
+  extra_include = ['/home/michael/3TB-DISK/github/kiwix/Mustache']
+elif compiler.has_header('mustache.hpp', args: '-I/home/michael/3TB-DISK/github/kiwix/Mustache')
+  extra_include = ['/home/michael/3TB-DISK/github/kiwix/Mustache']
 else
   error('Cannot found header mustache.hpp')
 endif
EOF
~$ meson . build && ninja -C build install

• [openzim/libzim](git clone https://github.com/openzim/libzim)

~$ git clone https://github.com/openzim/libzim
~$ cd libzim
~$ meson . build && ninja -C build install

• kiwix/kiwix-desktop

~$ git clone https://github.com/kiwix/kiwix-desktop
~$ cd kiwix-desktop
~$ qmake && make -j10 install

• 直接编译成deb安装包

~$ cat > rules.patch <<EOF
index f023663..f4f2877 100755
--- a/debian/rules
+++ b/debian/rules
@@ -4,3 +4,7 @@ export DEB_BUILD_MAINT_OPTIONS = hardening=+all

 %:
        dh $@
+
+override_dh_shlibdeps:
+       dh_shlibdeps --dpkg-shlibdeps-params=--ignore-missing-info

EOF
~ kiwix-desktop$ git apply rules.path
~ kiwix-desktop$ dpkg-buildpackage -us -uc

搭建Matrix服务

• matrix 菜鳥使用心得

• 使用docker-compose搭建一个本地matrix服务做测试

~$ mkdir matrix
~$ docker network create --driver=bridge --subnet=10.10.10.0/24 --gateway=10.10.10.1 matrix_net
~$ cd matrix

• 如果只是测试,或者VPS资源有限,使用sqlite3就可以，注释掉postgres的一项。

• docker-compose.yaml

version: '3.8'
services:
  postgres:
    image: postgres:11-alpine
    restart: unless-stopped
    networks:
      default:
        ipv4_address: 10.10.10.2
    volumes:
     - ./postgresdata:/var/lib/postgresql/data

    # These will be used in homeserver.yaml later on
    environment:
     - POSTGRES_DB=synapse
     - POSTGRES_USER=synapse
     - POSTGRES_PASSWORD=STRONGPASSWORD
     - POSTGRES_INITDB_ARGS=--lc-collate C --lc-ctype C --encoding UTF8

  element:
    image: vectorim/element-web:latest
    restart: unless-stopped
    volumes:
      - ./element-config.json:/app/config.json
    networks:
      default:
        ipv4_address: 10.10.10.3

  synapse:
    image: matrixdotorg/synapse:latest
    restart: unless-stopped
    networks:
      default:
        ipv4_address: 10.10.10.4
    volumes:
     - ./synapse:/data

networks:
  default:
    external:
      name: matrix_net

• 下载element的模版本配置文件,并且删除"default_server_name": "matrix.org"这一行。

matrix$ wget https://develop.element.io/config.json
matrix$ mv config.json element-config.json

生成Synapse配置文件

matrix$ mkdir synapse
matrix$ docker run -it --rm \
    -v "$(PWD)/synapse:/data" \
    -e SYNAPSE_SERVER_NAME=matrix.example.com \
    -e SYNAPSE_REPORT_STATS=yes \
    matrixdotorg/synapse:latest generate

• Synapse默认是使用sqlite3的,如果是要使用postgres,需要把synapse/homeserver.yaml里的database设置如下：

database:
  name: psycopg2
  args:
    user: synapse
    password: STRONGPASSWORD
    database: synapse
    host: postgres
    cp_min: 5
    cp_max: 10

• 创建新的用户

matrix$ docker-compose up -d

matrix$ docker exec -it matrix_synapse_1 bash
~# register_new_matrix_user -c /data/homeserver.yaml http://localhost:8008
New user localpart [root]: ruan
Password:
Confirm password:
Make admin [no]: yes
Sending registration request...
Success!

caddy V2代理

• Getting Started

$ apt install -y debian-keyring debian-archive-keyring apt-transport-https
$ curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo tee /etc/apt/trusted.gpg.d/caddy-stable.asc
$ curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
$ apt update
$ apt install caddy -y

matrix$ cat Caddyfile
http://matrix.example.com {
  tls internal
  reverse_proxy /_matrix/* 10.10.10.4:8008
  reverse_proxy /_synapse/client/* 10.10.10.4:8008
  log {
    output file /var/log/caddy/matrix.example.log
  }
  header {
    X-Content-Type-Options nosniff
    Referrer-Policy  strict-origin-when-cross-origin
    Strict-Transport-Security "max-age=63072000; includeSubDomains;"
    Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()"
    X-Frame-Options SAMEORIGIN
    X-XSS-Protection 1
    X-Robots-Tag none
    -server
  }
}

http://element.example.com {
  tls internal
  encode zstd gzip
  reverse_proxy 10.10.10.3:80

  log {
    output file /var/log/caddy/element.example.log
  }
  header {
    X-Content-Type-Options nosniff
    Referrer-Policy  strict-origin-when-cross-origin
    Strict-Transport-Security "max-age=63072000; includeSubDomains;"
    Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()"
    X-Frame-Options SAMEORIGIN
    X-XSS-Protection 1
    X-Robots-Tag none
    -server
  }
}

• 加入到系统的配置运行

matrix$ caddy adapt --config /path/path/Caddyfile
matrix$ caddy fmt
matrix$ caddy reload

• 注意：Caddyfile内如果只写 <domain.com> {} 的格式,它就会自动转换http -> https,这对于内网测试，本地浏览器测试会出现Mixed content blocked这样的错误.

移动APP的连接

• 进入网页端的管理后台https://<domain>/settings/user/security. 在Devices & sessions下面点击Create new app password生成一个动态的用户与密码,再点Show QR code from mobile apps,打开移动端nextcloud选择连接自建服务器,扫描连接.
• 如果碰到问题,可以通过查看https://<domain>/settings/admin/logging.

MinIO

• minio

• http://www.minio.org.cn/

• Build a PI Cluster for Local Development - Part 1

• MinIO是在GNU Affero通用公共许可证v3.0下发布的高性能对象存储.它是与Amazon S3云存储服务兼容的API.使用MinIO 为机器学习、分析和应用
  程序数据工作负载构建高性能基础架构.

容器运行

~$ sudo apt-get install podman -y
~$ podman run \
  -p 9000:9000 \
  -p 9001:9001 \
  minio/minio server /data --console-address ":9001"

• 如果出现下面的错误,请确认/etc/containers/registries.conf里有这一行unqualified-search-registries=["docker.io"],再重试.

  Error: error getting default registries to try: short-name "minio/minio" did not resolve to an alias and no unqualified-search registries are defined in "/etc/containers/registries.conf"

• 也可以docker运行

  ~$ docker run -it --rm -p 9000:9000 \
    -v `pwd`/minio-data:/data \
    -e MINIO_ROOT_USER=minio \
    -e MINIO_ROOT_PASSWORD=minio123 \
    -p 9001:9001 minio/minio server /data --console-address ":9001"

直接单机运行

~$ wget http://dl.minio.org.cn/server/minio/release/darwin-amd64/minio
~$ chmod +x minio
~$ ./minio server /data

客户端访问

mc

• MinIO Client Quickstart Guide
• MinIO Admin Complete Guide

~$ ./mc alias set myminio http://127.0.0.1:9000 minio minio123
Added `myminio` successfully.

• 添加用户

  ~$ ./mc admin user add myminio testuser testpwd123
  Added user `testuser` successfully.
  ~$ ./mc admin user info myminio testuser
  AccessKey: testuser
  Status: enabled
  PolicyName:
  MemberOf:

• 添加桶(bucket)

  ./mc mb myminio/test-new-s3-bucket
  Bucket created successfully `myminio/test-new-s3-bucket`.

• 创建一个bucket policy

~$ cat test-policy.json
{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": [
          "s3:GetObject",
          "s3:PutObject",
          "s3:DeleteObject",
          "s3:GetBucketLocation",
          "s3:ListBucket",
          "s3:ListAllMyBuckets"
        ],
        "Effect": "Allow",
        "Resource": [
          "arn:aws:s3:::<change-this-to-your-bucket-name>/*"
        ],
        "Sid": "Public"
      }
    ]
}

• 把策略文件加入到服务器中

  ~$ ./mc admin policy add myminio test-policy test-policy.json
  Added policy `test-policy` successfully.

• 应用策略到指定的用户上

  ~$ ./mc admin policy set myminio "test-policy" user=testuser
  Policy `test-policy` is set on user `testuser`
  
  ~$ ./mc admin user info myminio testuser
  AccessKey: testuser
  Status: enabled
  PolicyName: test-policy
  MemberOf:

awscli

~$ pip3 install awscli

~$ aws configure --profile minio
AWS Access Key ID [None]: minio
AWS Secret Access Key [None]: minio123
Default region name [None]: myminio
Default output format [None]: json

• 创建一个bucket.

  ~$ aws --profile minio --endpoint-url http://127.0.0.1:9000 s3 mb s3://new-s3-bucket

• 列出服务器上的bucket.

  ~$ aws --profile minio --endpoint-url http://127.0.0.1:9000 s3 ls
  2021-12-13 23:16:20 new-s3-bucket
  2021-12-13 22:58:15 test-new-s3-bucket

• 上传一个文件

  ~$ aws --profile minio --endpoint-url http://127.0.0.1:9000 s3 cp test-policy.json s3://new-s3-bucket
  upload: ./test-policy.json to s3://new-s3-bucket/test-policy.json

• 再对比一下,绑定到minio容器的本地目录minio-data的结构.

minio$ tree minio-data/
minio-data/
├── new-s3-bucket
│   └── test-policy.json
└── test-new-s3-bucket

2 directories, 1 file

• Kubernetes环境中,使用MinIO Kubernetes Operator来创建/配置/管理k8s的MinIO集群.

Syncthing

• https://github.com/syncthing/syncthing

~$ docker pull syncthing/syncthing
~$ docker run -p 8384:8384 -p 22000:22000 -v <YOUR PC FOLDER>/share:/var/syncthing syncthing/syncthing:latest

使用docker-compose创建

• 这里使用docker-compose创建,并支持Traefik反向代理,暴露给外部访问,这里只是本地内部测试,未配置https与真实的域名.

  syncthing$ cat .env
  # Syncthing
  DOCKER_SYNCTHING_IMAGE_NAME=syncthing/syncthing
  DOCKER_SYNCTHING_HOSTNAME=syncthing-on-storage
  DOCKER_SYNCTHING_DOMAIN=syncthing.localhost
  
  # discosrv
  DOCKER_DISCOSRV_IMAGE_NAME=syncthing/discosrv
  DOCKER_DISCOSRV_HOSTNAME=discosrv-on-storage
  DOCKER_DISCOSRV_DOMAIN=discosrv.localhost
  
  # exporter
  DOCKER_EXPORTER_IMAGE_NAME=soulteary/syncthing-exporter
  # xxd -l 16 -p /dev/random | base64
  DOCKER_EXPORTER_API_TOKEN=OTU0NGJmMGJhYzRiNGEzM2Q3Yzc4MjhjOTdhZjJkMDAK
  DOCKER_EXPORTER_HOSTNAME=syncthing-exporter-on-storage
  DOCKER_EXPORTER_DOMAIN=syncthing-exporter.localhost

• docker-compose.yml文件,需要当前目录里的.env文件配合.

syncthing$ cat docker-compose.yml

version: "3"

services:
  syncthing:
    image: ${DOCKER_SYNCTHING_IMAGE_NAME}
    container_name: ${DOCKER_SYNCTHING_HOSTNAME}
    hostname: ${DOCKER_SYNCTHING_HOSTNAME}
    environment:
      - PUID=1000
      - PGID=1000
    volumes:
      - ./data:/var/syncthing
    ports:
      - "22000:22000"
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik_default"
      - "traefik.http.routers.sync-http.entrypoints=http"
      - "traefik.http.routers.sync-http.rule=Host(`${DOCKER_SYNCTHING_DOMAIN}`)"
      - "traefik.http.routers.sync-http.service=sync-backend"
      - "traefik.http.services.sync-backend.loadbalancer.server.scheme=http"
      - "traefik.http.services.sync-backend.loadbalancer.server.port=8384"
    networks:
      - traefik_default
    logging:
      driver: "json-file"
      options:
        max-size: "1m"

networks:
  traefik_default:
    external: true

• 通过浏览器打开http://127.0.0.1:8384访问控制台,移动端可以安装syncthing客户端进行连接.

源码编译，安装systemd服务运行

~$ git clone https://github.com/syncthing/syncthing
~$ cd syncthing && ./build.sh


~$ sudo cp bin/syncthing /usr/bin/
~$ sudo cp etc/linux-systemd/user/syncthing.service /etc/systemd/user/
~$ systemctl --user --now enable syncthing
~$ systemctl start syncthing

使用docker-compose安装mysql+phpadmin

version: '3'

services:
  db:
    image: mysql
    container_name: zlib-db
    environment:
      MYSQL_ROOT_PASSWORD: 123456
      MYSQL_DATABASE: zlib-db
      MYSQL_USER: zlib
      MYSQL_PASSWORD: zlib123
    ports:
      - "3306:3306"
    volumes:
      - ./db-data:/var/lib/mysql
  phpmyadmin:
    image: phpmyadmin
    container_name: pma
    links:
      - db
    environment:
      PMA_HOST: zlib-db
      PMA_PORT: 3306
      PMA_ARBITRARY: 1
    restart: always
    ports:
      - 8081:80
volumes:
  dbdata:

协作文档

CryptPad

• xwiki-labs/cryptpad

  ~$ sudo dokku apps:create cryptpad
  ~$ docker tag promasu/cryptpad:latest dokku/cryptpad:latest
  ~$ sudo dokku tags:deploy cryptpad latest
  ~$ sudo dokku domains:add cryptpad cryptpad.llccyy.dynv6.net

wiki.js

• wikijs
• Requarks/wiki

docker-compose安装

• wikijs installation
• Deploy Wiki.js 2.4.107 in Docker Swarm

wiki.js$ cat docker-compose.yml
version: "3"
services:

  db:
    image: postgres:11-alpine
    environment:
      POSTGRES_DB: wiki
      POSTGRES_PASSWORD: wikijsrocks
      POSTGRES_USER: wikijs
    logging:
      driver: "none"
    restart: unless-stopped
    networks:
      - traefik_default
    volumes:
      - ./db-data:/var/lib/postgresql/data

  wiki:
    image: requarks/wiki:2
    depends_on:
      - db
    networks:
      - traefik_default
    environment:
      DB_TYPE: postgres
      DB_HOST: db
      DB_PORT: 5432
      DB_USER: wikijs
      DB_PASS: wikijsrocks
      DB_NAME: wiki
    restart: unless-stopped
    expose:
      - 3000
    labels:
      - traefik.enable=true
      - traefik.docker.network=traefik_default
      - traefik.http.routers.wiki.rule=Host(`wiki.localhost`)
      - traefik.http.routers.wiki.entrypoints=http
      - traefik.http.services.wiki.loadbalancer.server.port=3000

networks:
  traefik_default:
    external: true

• 如上面如示,docker-compose.yml是开启了Traefik反向代理的,启动后,打开http://wiki.localhost/就可以设置安装wiki.js向导页了.

配置TLS与域名

cat docker-compose-wikijs.yml
version: "3"
services:

  db:
    image: postgres:11-alpine
    environment:
      POSTGRES_DB: wiki
      POSTGRES_PASSWORD: wikijsrocks
      POSTGRES_USER: wikijs
    logging:
      driver: "none"
    restart: unless-stopped
    networks:
      - traefik_default
    volumes:
      - ./db-data:/var/lib/postgresql/data

  wiki:
    image: requarks/wiki:2
    depends_on:
      - db
    networks:
      - traefik_default
    environment:
      DB_TYPE: postgres
      DB_HOST: db
      DB_PORT: 5432
      DB_USER: wikijs
      DB_PASS: wikijsrocks
      DB_NAME: wiki
    restart: unless-stopped
    expose:
      - 3000
    labels:
      - traefik.enable=true
      - traefik.docker.network=traefik_default
      - traefik.http.routers.wiki.rule=Host(`<your full domain name>`) && (PathPrefix(`/wiki`) || PathPrefix(`/_assets`))
      - traefik.http.routers.wiki.entrypoints=websecure
      - traefik.http.routers.wiki.tls.certresolver=myresolver
      - traefik.http.services.wiki.loadbalancer.server.port=3000

networks:
  traefik_default:
    external: true

• 如上面所示,entrypoints=websecure,tls.certresolver=myresolver这两个指项的定义是在traefik启动命令行中定义的,而且路由规则Rule必须是匹配/wiki与/_assets的前缀.traefix的启动命令大概如下：

[...]
traefik:
    image: "traefik:v2.5"
    container_name: "traefik"
    command:
      - "--api.insecure=false"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.file.directory=/letsencrypt/"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myresolver.acme.email=<your email>@gmail.com"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
[...]

• 第一次启动访问wiki页面时,会是一个初始化安装页,在SITE URL必须填写https://<your full domain>/wiki.

AI/ML

语音控制

DeepSpeech

• DeepSpeech is an open source embedded (offline, on-device) speech-to-text engine which can run in real time on devices ranging from a Raspberry Pi 4 to high power GPU servers.

MycroftAI/mimic3

• A fast and local neural text to speech system developed by Mycroft for the Mark II.

(MycroftAI/mycroft-core)[https://github.com/MycroftAI/mycroft-core]

• Mycroft is a hackable open source voice assistant.

通信类

Matrix

服务端

Dendrite

• dendrite

• INSTALL.md

• 这里主要根据官方的文档,通过docker快速部署一个服务实践.

~$ git clone https://github.com/matrix-org/dendrite

客户端

项目管理

OpenProject

• openproject

自动化测试

RobotFramework

• robotframework

Trojan

• trojan与dokku共用 443端口,4层转发.

~$ nginx  -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
#
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}

# https://raymii.org/s/tutorials/nginx_1.15.2_ssl_preread_protocol_multiplex_https_and_ssh_on_the_same_port.html
stream {
    map $ssl_preread_server_name $backend_name {
	proxy.yjdwbj.cloudns.org trojan;
	nc.llccyy.dynv6.net mycloud;
	fpm.yjdwbj.cloudns.org fpm;
        default dokku;
    }
    upstream dokku {
	server 127.0.0.1:2000;
    }
	upstream fpm
	{
		server 127.0.0.1:6443;
	}

    upstream trojan {
        server 172.17.0.2:443;
    }

	upstream mycloud {

	  server 127.0.0.1:5443;
	}


    server {
        listen 443 reuseport ;
        listen [::]:443 reuseport;
        proxy_pass  $backend_name;
	#proxy_protocol on;
        ssl_preread on;
    }
}

# configuration file /etc/nginx/modules-enabled/50-mod-http-auth-pam.conf:
load_module modules/ngx_http_auth_pam_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-dav-ext.conf:
load_module modules/ngx_http_dav_ext_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-echo.conf:
load_module modules/ngx_http_echo_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip.conf:
load_module modules/ngx_http_geoip_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-subs-filter.conf:
load_module modules/ngx_http_subs_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-upstream-fair.conf:
load_module modules/ngx_http_upstream_fair_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/conf.d/dokku-installer.conf:
upstream dokku-installer { server 127.0.0.1:2000; }
server {
  listen      80;
  location    / {
    proxy_pass  http://dokku-installer;
  }
}

# configuration file /etc/nginx/conf.d/dokku.conf:
include /home/dokku/*/nginx.conf;

server_tokens off;

# Settings from https://mozilla.github.io/server-side-tls/ssl-config-generator/
ssl_session_cache   shared:SSL:20m;
ssl_session_timeout 1d;
ssl_session_tickets off;

ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

# configuration file /home/dokku/fpm/nginx.conf:

server {
  listen      [::]:80;
  listen      80;
  server_name fpm.yjdwbj.cloudns.org;
  access_log  /var/log/nginx/fpm-access.log;
  error_log   /var/log/nginx/fpm-error.log;

  return 301 https://$host:6443$request_uri;

}

server {
  listen      [::]:6443 ssl http2;
  listen      6443 ssl http2;

  server_name fpm.yjdwbj.cloudns.org;
  access_log  /var/log/nginx/fpm-access.log;
  error_log   /var/log/nginx/fpm-error.log;

  ssl_certificate           /home/dokku/fpm/tls/server.crt;
  ssl_certificate_key       /home/dokku/fpm/tls/server.key;
  ssl_protocols             TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers off;

  keepalive_timeout   70;


  location    / {

    gzip on;
    gzip_min_length  1100;
    gzip_buffers  4 32k;
    gzip_types    text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml  application/rss+xml font/truetype application/x-font-ttf font/opentype application/vnd.ms-fontobject image/svg+xml;
    gzip_vary on;
    gzip_comp_level  6;

    proxy_pass  http://fpm-80;
    http2_push_preload on;
    proxy_http_version 1.1;
    proxy_read_timeout 60s;
    proxy_buffer_size 4096;
    proxy_buffering on;
    proxy_buffers 8 4096;
    proxy_busy_buffers_size 8192;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Request-Start $msec;

  }


  include /home/dokku/fpm/nginx.conf.d/*.conf;

  error_page 400 401 402 403 405 406 407 408 409 410 411 412 413 414 415 416 417 418 420 422 423 424 426 428 429 431 444 449 450 451 /400-error.html;
  location /400-error.html {
    root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
    internal;
  }

  error_page 404 /404-error.html;
  location /404-error.html {
    root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
    internal;
  }

  error_page 500 501 503 504 505 506 507 508 509 510 511 /500-error.html;
  location /500-error.html {
    root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
    internal;
  }

  error_page 502 /502-error.html;
  location /502-error.html {
    root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
    internal;
  }
}

upstream fpm-80 {

  server 172.17.0.5:80;
}


# configuration file /home/dokku/fpm/nginx.conf.d/hsts.conf:
add_header Strict-Transport-Security "max-age=15724800; includeSubdomains" always;

# configuration file /home/dokku/mycloud/nginx.conf:

server {
  listen      [::]:80;
  listen      80;
  server_name nc.llccyy.dynv6.net;
  access_log  /var/log/nginx/mycloud-access.log;
  error_log   /var/log/nginx/mycloud-error.log;

  return 301 https://$host:5443$request_uri;

}

server {
  listen      [::]:5443 ssl http2;
  listen      5443 ssl http2;

  server_name nc.llccyy.dynv6.net;
  access_log  /var/log/nginx/mycloud-access.log;
  error_log   /var/log/nginx/mycloud-error.log;

  ssl_certificate           /home/dokku/mycloud/tls/server.crt;
  ssl_certificate_key       /home/dokku/mycloud/tls/server.key;
  ssl_protocols             TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers off;

  keepalive_timeout   70;


  location    / {

    gzip on;
    gzip_min_length  1100;
    gzip_buffers  4 32k;
    gzip_types    text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml  application/rss+xml font/truetype application/x-font-ttf font/opentype application/vnd.ms-fontobject image/svg+xml;
    gzip_vary on;
    gzip_comp_level  6;

    proxy_pass  http://mycloud-80;
    http2_push_preload on;
    proxy_http_version 1.1;
    proxy_read_timeout 60s;
    proxy_buffer_size 4096;
    proxy_buffering on;
    proxy_buffers 8 4096;
    proxy_busy_buffers_size 8192;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Request-Start $msec;

  }

  client_max_body_size 100m;
  include /home/dokku/mycloud/nginx.conf.d/*.conf;

  error_page 400 401 402 403 405 406 407 408 409 410 411 412 413 414 415 416 417 418 420 422 423 424 426 428 429 431 444 449 450 451 /400-error.html;
  location /400-error.html {
    root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
    internal;
  }

  error_page 404 /404-error.html;
  location /404-error.html {
    root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
    internal;
  }

  error_page 500 501 503 504 505 506 507 508 509 510 511 /500-error.html;
  location /500-error.html {
    root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
    internal;
  }

  error_page 502 /502-error.html;
  location /502-error.html {
    root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
    internal;
  }
}

upstream mycloud-80 {

  server 172.17.0.4:80;
}


# configuration file /home/dokku/mycloud/nginx.conf.d/hsts.conf:
add_header Strict-Transport-Security "max-age=15724800; includeSubdomains" always;

# configuration file /home/dokku/trojan/nginx.conf:

server {
  listen      [::]:7443 ssl http2;
  listen      7443 ssl http2;

  server_name proxy.yjdwbj.cloudns.org;
  access_log  /var/log/nginx/trojan-access.log;
  error_log   /var/log/nginx/trojan-error.log;

  ssl_certificate           /home/dokku/trojan/tls/server.crt;
  ssl_certificate_key       /home/dokku/trojan/tls/server.key;
  ssl_protocols             TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers off;

  keepalive_timeout   70;


  location    / {

    gzip on;
    gzip_min_length  1100;
    gzip_buffers  4 32k;
    gzip_types    text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml  application/rss+xml font/truetype application/x-font-ttf font/opentype application/vnd.ms-fontobject image/svg+xml;
    gzip_vary on;
    gzip_comp_level  6;

    proxy_pass  https://trojan-443;
    http2_push_preload on;
    proxy_http_version 1.1;
    proxy_read_timeout 60s;
    proxy_buffer_size 4096;
    proxy_buffering on;
    proxy_buffers 8 4096;
    proxy_busy_buffers_size 8192;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Request-Start $msec;

  }


  include /home/dokku/trojan/nginx.conf.d/*.conf;

  error_page 400 401 402 403 405 406 407 408 409 410 411 412 413 414 415 416 417 418 420 422 423 424 426 428 429 431 444 449 450 451 /400-error.html;
  location /400-error.html {
    root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
    internal;
  }

  error_page 404 /404-error.html;
  location /404-error.html {
    root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
    internal;
  }

  error_page 500 501 503 504 505 506 507 508 509 510 511 /500-error.html;
  location /500-error.html {
    root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
    internal;
  }

  error_page 502 /502-error.html;
  location /502-error.html {
    root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
    internal;
  }
}

upstream trojan-443 {

  server 172.17.0.2:443;
}


# configuration file /home/dokku/trojan/nginx.conf.d/hsts.conf:
add_header Strict-Transport-Security "max-age=15724800; includeSubdomains" always;

# configuration file /etc/nginx/conf.d/server_names_hash_bucket_size.conf:
#server_names_hash_bucket_size 512;

• 本地端口与上面对应有5443,7443,6443

netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:6443            0.0.0.0:*               LISTEN      23764/nginx: master
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      23764/nginx: master
tcp        0      0 0.0.0.0:2000            0.0.0.0:*               LISTEN      27904/python3
tcp        0      0 0.0.0.0:7443            0.0.0.0:*               LISTEN      23764/nginx: master
tcp        0      0 0.0.0.0:2132            0.0.0.0:*               LISTEN      1027/sshd
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      2715/dnsmasq
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      23764/nginx: master
tcp        0      0 0.0.0.0:8123            0.0.0.0:*               LISTEN      444/polipo
tcp        0      0 0.0.0.0:5443            0.0.0.0:*               LISTEN      23764/nginx: master
tcp        0      0 0.0.0.0:1443            0.0.0.0:*               LISTEN      1435/ss-server
tcp6       0      0 :::6443                 :::*                    LISTEN      23764/nginx: master
tcp6       0      0 :::80                   :::*                    LISTEN      23764/nginx: master
tcp6       0      0 :::7443                 :::*                    LISTEN      23764/nginx: master
tcp6       0      0 :::2132                 :::*                    LISTEN      1027/sshd
tcp6       0      0 :::53                   :::*                    LISTEN      2715/dnsmasq
tcp6       0      0 :::443                  :::*                    LISTEN      23764/nginx: master
tcp6       0      0 :::5443                 :::*                    LISTEN      23764/nginx: master
tcp6       0      0 :::1443                 :::*                    LISTEN      1435/ss-server

资源聚合

• 100种不错的免费工具和资源
• https://arxiv.org/
  • arXiv is a free distribution service and an open-access archive for 1,993,024 scholarly articles in the fields of physics, mathematics, computer science, quantitative biology, quantitative finance, statistics, electrical engineering and systems science, and economics. Materials on this site are not peer-reviewed by arXiv.
• 计算机工程资料索引

谢谢支持

• 微信二维码: