purgatory/Xray-docs-next
1
0
Fork 0
mirror of https://github.com/XTLS/Xray-docs-next.git synced 2025-04-05 14:23:34 +03:00
Code Issues Projects Releases Packages Wiki Activity

Translate dev, second edition

Browse source
This commit is contained in:
Kevin Amiri 2023-04-20 19:31:38 +02:00
parent 546df9549b
commit 0fc30e08d7
11 changed files with 708 additions and 671 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
docs/en/development/protocols/mkcp.md
View file

@ -56,7 +56,7 @@ as which:
### Confirmation snippet
| 2 bytes | 1 byte | 1 byte | 4 bytes | 4 bytes | 4 bytes | 2 bytes | Len * 4 bytes |
| 2 bytes | 1 byte | 1 byte | 4 bytes | 4 bytes | 4 bytes | 2 bytes | Len \* 4 bytes |
| ------- | ------ | ------ | ------- | --------------- | --------- | ------- | ------------------- |
| Conv ID | Cmd | Opt | Wnd | Next Seq Number | Timestamp | Length | Received Seq Number |
@ -89,4 +89,4 @@ as which:
- Option Opt: Same as above
- Unacknowledged sequence number Una: Same as the Una of the data fragment
- Next receive sequence number Sn: Same as the Sn of the acknowledgement fragment
- Delay Rto: Delay calculated by the remote host itself
- Delay Rto: Delay calculated by the remote host itself

2
docs/en/development/protocols/muxcool.md
View file

@ -114,4 +114,4 @@ While staying connected:
The Mux.Cool protocol is agnostic to the underlying protocol and can theoretically use any reliable streaming connection to transmit Mux.Cool protocol data.
In target-oriented protocols such as Shadowsocks and VMess, a specified address must be included when establishing a connection. To maintain compatibility, the Mux.Cool protocol specifies the address as "v1.mux.cool". When the target address of the main connection matches this address, the Mux.Cool forwarding method is used. Otherwise, forwarding is done in the traditional way. (Note: This is an internal tag in the program, and VMess and VLESS do not send the "v1.mux.cool" address in data packets.)
In target-oriented protocols such as Shadowsocks and VMess, a specified address must be included when establishing a connection. To maintain compatibility, the Mux.Cool protocol specifies the address as "v1.mux.cool". When the target address of the main connection matches this address, the Mux.Cool forwarding method is used. Otherwise, forwarding is done in the traditional way. (Note: This is an internal tag in the program, and VMess and VLESS do not send the "v1.mux.cool" address in data packets.)

29
docs/en/development/protocols/vless.md
View file

@ -16,13 +16,13 @@ VLESS had the aforementioned structure as early as the second alpha test version
"`Response authentication`" has been replaced with "`Protocol version`" and moved to the front, allowing VLESS to upgrade and eliminate the overhead of generating pseudo-random numbers. The obfuscation-related structure has been replaced with "`Additional information`" (ProtoBuf) and moved forward, giving the protocol itself scalability, with minimal overhead ([gogo/protobuf](https://github.com/gogo/protobuf)). If there is no additional information, there is no relevant overhead.
I have always felt that "Response Authentication" is not necessary. During ALPHA, math/rand was used to improve the performance of generating random numbers instead of crypto/rand, but now it is no longer needed.
I always thought that "response authentication" was not necessary, and ALPHA replaced crypto/rand with math/rand in order to improve the performance of random number generation, which is no longer needed.
The "Protocol Version" not only serves as "Response Authentication", but also gives VLESS the ability to upgrade the protocol structure seamlessly, bringing infinite possibilities. The "Protocol Version" is 0 in the test version and 1 in the official version. If there are any incompatible protocol structural changes in the future, the version should be upgraded.
The design of VLESS server is switch version, which supports all VLESS versions at the same time. If you need to upgrade the protocol version (which may not happen), it is recommended that the server support it one month in advance, and then change the client after one month. VMess requests also have protocol versions, but their authentication information is outside, and the instruction part is highly coupled and has fixed encryption, which makes the protocol version meaningless inside. The server does not judge it, and the response does not have a protocol version. Trojan's protocol structure does not have a protocol version.
The following is a UUID. I used to think that 16 bytes were a bit long and considered shortening it. However, I later saw that Trojan used 56 printable characters (56 bytes), which completely dispelled this idea. The server needs to verify the UUID every time, so performance is also very important: VLESS's Validator has undergone multiple refactoring/upgrades. Compared with VMess, it is very concise and consumes very few resources. It can support a large number of users at the same time, and its performance is also very strong. The verification speed is extremely fast (sync.Map). API dynamically adds and deletes users, making it more efficient and smooth.
The following is a UUID. I used to think that 16 bytes were a bit long and considered shortening it. However, I later saw that Trojan used 56 printable characters (56 bytes), which completely dispelled this idea. The server needs to verify the UUID every time, so performance is also very important: VLESS's Validator has undergone multiple refactoring/upgrades. Compared with VMess, it is very concise and consumes very few resources. It can support a large number of users at the same time, and its performance is also very strong. The verification speed is extremely fast (sync.Map). API dynamically adds and deletes users, making it more efficient and smooth.
https://github.com/XTLS/Xray-core/issues/158
Introducing ProtoBuf is an innovation, which will be explained in detail later. The structure from "instruction" to "address" is currently identical to VMess and also supports Mux.
@ -45,15 +45,24 @@ Below is an introduction to the concepts of Schedulers and Encryption, both of w
## Flow
~~Temporary Chinese name: Traffic Scheduler~~ (Updated on 2020-09-03: The Chinese name is confirmed as "Flow Control"). The command is carried by ProtoBuf and controls the data section.
### Flow Control (Formerly Traffic Scheduler)
I previously found that the original "metadata obfuscation" feature of VMess did not bring any meaningful changes in TLS, but only reduced performance, so VLESS abandoned it. Also, the term "obfuscation" is easily misunderstood as camouflage, so it has been abandoned. By the way, I have always been skeptical of camouflage: if it cannot be exactly the same, isn't it a strong feature? If it can be exactly the same, why not directly use the target for camouflage? I initially used SSR, but later found that it only superficially camouflages and deceives the operator, so I never used it again.
The Flow Control command is carried by ProtoBuf and manages the data section.
So, what problem does the "Traffic Scheduler" solve? It affects the macro traffic temporal characteristics, rather than the micro characteristics that encryption aims to solve. Traffic temporal characteristics can be protocol-based, such as the Socks5 handshake when using Socks5 over TLS. Different characteristics on TLS are different protocols for monitors. At this point, infinite schedulers are equivalent to infinite protocols (re-assigning the amount of data sent each time). Traffic temporal characteristics can also be behavior-based, such as how many files are loaded, the order, and the size of each file when accessing the Google homepage. Adding another layer of encryption cannot effectively conceal this information.
I previously discovered that VMess's original "metadata obfuscation" feature didn't provide any meaningful changes in TLS but only decreased performance. Consequently, VLESS has abandoned this feature. Moreover, the term "obfuscation" is often misinterpreted as camouflage, so it has been discarded.
Schedulers do not need to be wrapped like Encryption below because the tiny amount of data in the header is negligible compared to the rest of the data.
As for camouflage, if it can't be an exact match, wouldn't it be a noticeable characteristic? If it could be an exact match, why not use the intended target for camouflage directly? Initially, I used SSR but found it only provided superficial disguises, fooling operators. Thus, I stopped using it.
BETA 2 is expected to introduce two basic schedulers: Zstd compression and dynamic data expansion. Advanced operations will control and distribute at a macro level, but for now, they are still pending.
#### Purpose of Flow Control
Flow Control influences macro traffic temporal characteristics rather than micro characteristics addressed by encryption. Traffic temporal characteristics can be:
1. **Protocol-based**, e.g., Socks5 handshake when using Socks5 over TLS. Different traits on TLS are considered different protocols for monitors. Infinite schedulers equate to infinite protocols (reallocating data sent each time).
2. **Behavior-based**, e.g., loading files, their order, and size when accessing Google's homepage. Adding another encryption layer cannot effectively conceal this information.
Schedulers don't require wrapping like encryption since the header data's tiny amount is negligible compared to the remaining data.
BETA 2 is anticipated to introduce two basic schedulers: Zstd compression and dynamic data expansion. Advanced operations will control and distribute at a macro level, but for now, these remain under development.
## Encryption
@ -61,13 +70,13 @@ Unlike VMess, which is highly coupled, VLESS allows the server and client to pre
Compared with VMess, VLESS replaces security with encryption and disableInsecureEncryption with decryption, which solves all the problems. Currently, encryption and decryption only accept "none" and cannot be left blank (even if there are connection security checks in the future), as detailed in the VLESS configuration document. Encryption does not need to be moved out one level, firstly because it cannot reuse a lot of code, and secondly because it will affect the control granularity, which will be understood by looking at future applications.
Encryption supports two types of forms. One type is completely independent and requires an additional password, suitable for private use. The other type combines with the existing UUID for encryption, which is suitable for public use.
Encryption supports two types of forms. One type is completely independent and requires an additional password, suitable for private use. The other type combines with the existing UUID for encryption, which is suitable for public use.
(If the first type of encryption is used and the password is publicly available in some form, such as multiple people sharing it, then a man-in-the-middle attack is not far away.)
A redesigned dynamic port may be released simultaneously with encryption, and the command is carried by ProtoBuf. The specific implementation and the dynamic port of VMess will also have many differences.
It is very easy to cash out encrypted currency, which adds an extra layer of writer & reader. BETA 3 is expected to support SS's aes-128-gcm and chacha20-ietf-poly1305:
It is very easy to cash out encrypted currency, which adds an extra layer of writer & reader. BETA 3 is expected to support SS's aes-128-gcm and chacha20-ietf-poly1305:
The encryption on the client-side can be filled with "auto: ss_aes-128-gcm_0_123456, ss_chacha20-ietf-poly1305_0_987654". Auto will choose the most suitable one for the current machine, 0 represents the beta version, and the last one is the password. The decryption on the server-side is also filled in a similar way, and each decryption attempt will be made when the request is received.
@ -87,4 +96,4 @@ Not all combinations need to be tried one by one: VMess encryption is divided in
Thank you to [@DuckSoft](https://github.com/DuckSoft) for the proposal!
Please see [VMessAEAD/VLESS Sharing Link Standard Proposal](https://github.com/XTLS/Xray-core/issues/91) for more details.
Please see [VMessAEAD/VLESS Sharing Link Standard Proposal](https://github.com/XTLS/Xray-core/issues/91) for more details.

23
docs/en/development/protocols/vmess.md
View file

@ -68,10 +68,9 @@ The instruction part is encrypted using AES-128-CFB.
Options Opt Details: (When a bit is 1, it means the option is enabled)
| 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: |
| X | X | X | X | X | M | R | S |
| 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| :-: | :-: | :-: | :-: | :-: | :-: | :-: | :-: |
| X | X | X | X | X | M | R | S |
of which:
@ -126,16 +125,16 @@ Before the transmission is completed, the data packet must contain actual data,
The packets are formatted as follows, depending on the encryption method:
- Unencrypted:
  - L bytes: actual data;
  - L bytes: actual data;
- AES-128-CFB: The entire data section is encrypted using AES-128-CFB.
  - 4 bytes: FNV1a hash of actual data;
  - L - 4 bytes: actual data;
  - 4 bytes: FNV1a hash of actual data;
  - L - 4 bytes: actual data;
- AES-128-GCM: Key is the Key of the instruction section, IV = count (2 bytes) + IV (10 bytes). count starts at 0 and increases by 1 for each packet; IV is the 3rd to 12th byte of the instruction section IV.
  - L - 16 bytes: actual data;
  - 16 bytes: GCM authentication information
  - L - 16 bytes: actual data;
  - 16 bytes: GCM authentication information
- ChaCha20-Poly1305: Key = MD5 (instruction part Key) + MD5 (MD5 (instruction part Key)), IV = count (2 bytes) + IV (10 bytes). count starts at 0 and increases by 1 for each packet; IV is the 3rd to 12th byte of the instruction section IV.
  - L - 16 bytes: actual data;
  - 16 bytes: Poly1305 authentication information
  - L - 16 bytes: actual data;
  - 16 bytes: Poly1305 authentication information
## Server Response
@ -172,4 +171,4 @@ When the client receives a dynamic port command, the server opens a new port for
## Comment
- To ensure forward compatibility, the values of all reserved fields must be 0.
- To ensure forward compatibility, the values of all reserved fields must be 0.

30
docs/en/document/config.md
View file

@ -1,10 +1,10 @@
# Configure and Run
After [downloading and installing Xray](./install/), you need to configure it,
After [downloading and installing Xray](./install/), you need to configure it.
For demonstration, only a simple configuration method is introduced here. More templates: [Xray-examples](https://github.com/XTLS/Xray-examples)
For demonstration purposes, only a simple configuration method is introduced here. For more templates, please refer to [Xray-examples](https://github.com/XTLS/Xray-examples).
If you need to configure more complex functions, please refer to the relevant instructions in the more detailed [configuration file](../config/).
If you need to set up more advanced features, please refer to the relevant instructions in the more detailed [configuration file](../config/).
## Server Configuration
@ -14,7 +14,7 @@ You need a server outside the firewall to run server-side Xray. The configuratio
{
"inbounds": [
{
"port": 10086, // server listening port
"port": 10086, // The port on which the server is listening
"protocol": "vmess",
"settings": {
"clients": [
@ -33,7 +33,7 @@ You need a server outside the firewall to run server-side Xray. The configuratio
}
```
In the configuration of the server, you need to ensure `id` that the and port are consistent with the client, and then you can connect normally.
In server configuration, it is necessary to ensure that the `id` and port are consistent with the client in order to establish a normal connection.
## Client Configuration
@ -43,7 +43,7 @@ On your PC (or phone), you need to run Xray with the following configuration:
{
"inbounds": [
{
"port": 1080, // SOCKS proxy port, the proxy needs to be configured in the browser and point to this port
"port": 1080, // SOCKS代理端口,需要在浏览器中配置代理并指向该端口
"listen": "127.0.0.1",
"protocol": "socks",
"settings": {
@ -57,8 +57,8 @@ On your PC (or phone), you need to run Xray with the following configuration:
"settings": {
"vnext": [
{
"address": "server", // Server address, please change it to your own server IP or domain name
"port": 10086, // server port
"address": "server", // 服务器地址请将其更改为您自己的服务器IP或域名
"port": 10086, // 服务器端口
"users": [
{
"id": "b831381d-6324-4d53-ad4f-8cda48b30811"
@ -86,14 +86,14 @@ On your PC (or phone), you need to run Xray with the following configuration:
}
```
The only thing to change in the above configuration is your server IP, which is noted in the configuration. The above configuration will forward all traffic to your server except on the LAN (such as the access router).
The only thing you need to modify in the above configuration is your server's IP address, which is indicated in the configuration. This configuration will redirect all traffic to your server, except for traffic on the local area network (such as the access router).
## Run
- On Windows and macOS, configuration files are usually `config.json`
- Just run `Xray` or `Xray.exe`
- On Linux, configuration files are usually located in `/etc/xray/` or `/usr/local/etc/xray/`.
- Run `xray run -c /etc/xray/config.json`
- Or use something like systemd to run Xray as a service in the background.
- On Windows and macOS, the configuration files are usually named `config.json`.
- To start Xray, simply run `Xray` or `Xray.exe`.
- On Linux, the configuration files are usually located in `/etc/xray/` or `/usr/local/etc/xray/`.
- To start Xray, run the command `xray run -c /etc/xray/config.json`.
- Alternatively, you can use a tool like systemd to run Xray as a background service.
For more detailed instructions, please refer to [Configuration](../config/) Document and [小小白话文](./level-0/).
For more detailed instructions, please refer to the [Configuration](../config/) Document and [Layman's Terms](./level-0/).

108
docs/en/document/level-0/ch01-preface.md
View file

@ -1,96 +1,100 @@
# 【第 1 章】 小小白白话文
# [Chapter 1] Simple and Plain Language
## 1.1 这篇文档是写给谁的?
## 1.1 Who is this document written for?
一句话:写给 **① 零基础** **② 希望学习自建 VPS** 的新人。
One sentence: Written for newbies who are **(1) absolute beginners** and **(2) interested in learning how to build their own VPS**.
## 1.2 这篇文档不是写给谁的?
## 1.2 Who is this document not written for?
包括但不限于:各路大神大能、懒得自己折腾的小白、已经会折腾的高手、确定要用机场的土豪、确定要用一键脚本的逍遥派...... 总之只要有技术基础、或不愿不想自建的同学,您直接关闭本文即可,因为这篇文章大概是入不了您的法眼的,更可能会让您生一肚子闲气,那多划不来。
Including but not limited to: experts and professionals, beginners who are too lazy to tinker on their own, advanced users who already know how to tinker, wealthy users who insist on using airport services, and those who prefer using one-click scripts. In short, if you have a technical background or don't want to build it yourself, you can close this article directly, because this article may not be suitable for you and may even make you upset.
## 1.3 郑重声明及其他声明
## 1.3 Declaration and Other Statements
郑重声明:
Declaration:
鄙人技术奇菜无比,故本文必然挂一漏万破绽百出。您若发现问题还请温柔提醒,莫要人参公鸡。
My technical skills are extremely limited, so this article is inevitably full of errors and flaws. If you find any problems, please kindly point them out and don't be too harsh on me.
免责声明:
Disclaimer:
本文内容请您自行判断是否可信可靠可用,若您根据本文内容建立和使用 VPS 服务器时出了任何问题和不良结果,鄙人概不负责。
Please judge the reliability and usability of the content of this article by yourself. If you encounter any problems or negative results when establishing and using a VPS server based on the content of this article, I am not responsible for it.
啰嗦声明:
Verbose statement:
基于本文【零基础用户】的目标受众,许多内容会尽力详尽说明,所以语言偏啰嗦,请做好心理准备。
Considering the target audience of this article, which is "users with zero experience", many details will be explained in great detail, so the language may be verbose. Please be mentally prepared for this.
## 1.4 为什么自建是个难题?
## 1.4 Why is self-hosting a challenge?
要回答这个问题,就需要稍微多说一点背景信息了。
To answer this question, we need to provide a little more background information.
一、科学上网这件事
1. On the matter of accessing the internet through scientific means
科学上网这件事情,说来已经发展了近二十年(震惊!!!.jpg。最初自己稍微动动手即可改改 host、连一下 ssh、后来需要找一个网页代理再后来需要写一个私有协议(比如 Shadowsocks)等等。
The act of accessing the internet using scientific methods has been around for almost 20 years (shocking!!!.jpg). Initially, one could do it with a little effort (changing the host file, using SSH), then one had to find a web proxy, and later, one had to develop a private protocol (such as Shadowsocks) and so on.
随着 GFW 技术这十几年来不断的迭代升级,若要完成【自己动手科学上网】这个目标,需要做的事情已经包括但不限于:
With the continuous iteration and upgrade of GFW technology over the past decade, to achieve the goal of [building your own scientific Internet access], the things that need to be done include but are not limited to:
- 了解 Linux 系统基本命令
- 了解网络传输协议
- 有技术和经济能力完成 VPS 购买及管理
- 有技术和经济能力完成域名购买及管理
- 有技术能力完成 TLS 证书申请 等等。
- Understand basic Linux commands
- Understand network transmission protocols
- Have the technical and financial ability to purchase and manage a VPS
- Have the technical and financial ability to purchase and manage a domain name
- Have the technical ability to apply for a TLS certificate, and so on.
这就让【自建 VPS 科学上网】这个曾经简单的行为逐渐变成了令新人望而生畏的挑战。
This has turned the once simple act of [setting up a self-built VPS for accessing the internet in a secure and unrestricted manner] into a daunting challenge that intimidates newcomers.
二、零基础用户的无奈
2. Helplessness of Zero-based Users
零基础的非技术用户如果完成上面这一连串的操作势必要学习大量的知识但稍微搜索之后新人只怕会更加迷茫大量的信息散布在互联网的各个角落博客、问答网站、群组、论坛、GitHub、Telegram、YouTube 等等等等)。这些信息纷乱复杂、水平良莠不齐、甚至可能互相矛盾。基本上就是不把新人彻底弄晕誓不罢休。
For non-technical users with zero foundation, if they complete the above series of operations, they will inevitably need to learn a lot of knowledge. However, after a little searching, newbies are likely to become even more confused: a large amount of information is scattered in various corners of the Internet: blogs, Q&A sites, groups, forums, GitHub, Telegram, YouTube, and so on. These pieces of information are chaotic and complex, with varying levels of quality, and may even contradict each other. Basically, they won't stop until they completely confuse the newcomer.
面对这些杂乱无章的信息,新人突然就从【信息匮乏】变成了【信息过剩】。若是几番连蒙带猜的折腾以失败告终(大概率如此)的话,他的积极性势必大受挫折。在这个过程中,若他又恰好去了一些不太友好的地方去求助,恐怕还要雪上加霜的被嘲讽一番:“这么菜,用机场不就行了,瞎折腾什么啊!”、“先去学会 Linux 再回来问吧”。
Faced with such chaotic information, newcomers suddenly shift from [information scarcity] to [information overload]. If they fail after several attempts of groping and guessing (which is highly probable), their enthusiasm is bound to be greatly frustrated. In this process, if they happen to seek help in some unfriendly places, they may be ridiculed even more: "You're so inexperienced, just use the airport, why bother messing around!" "Go learn Linux first before coming back to ask."
这时候,大概也只有一声“呵呵”可以表达心情了。
At this moment, probably only an "hehe" can express the mood.
## 1.5 “用机场不就行了?”
## 1.5 "Why not just use the airport?"
首先,我想反问一下那些冷嘲热讽的人:“用机场”真的就是万灵药吗?
First of all, I would like to respond to those who ridicule and criticize by asking a question: Is using the airport really a panacea?
其次,我认为“不懂”和“不想懂”是有本质区别的。态度恶劣的巨婴伸手党自然惹人厌烦,但真心自学却不得要领的人不该受到无端的白眼和歧视,也正是这种对新人不加区分的恶劣社区氛围促使我写下本文。那么闲话少说,我们来看看机场的优势与劣势究竟如何:
Secondly, I believe that there is a fundamental difference between "not understanding" and "not wanting to understand". The bad attitude of some people who just want handouts is naturally annoying, but those who sincerely want to learn but don't know how should not be subject to unjustified contempt and discrimination. It is precisely this kind of bad community atmosphere that does not distinguish between newcomers that prompted me to write this article. So without further ado, let's take a look at the advantages and disadvantages of the airport:
一、“机场“的优势
1. 稳定性高:机场节点数量多,分布广泛,避免了单点故障的风险,保证了整个网络的稳定性。
2. 速度快:机场的节点通常采用高速服务器和优化的网络架构,网络速度较快,能够满足用户的高速上网需求。
3. 安全性高:机场通常会采用严格的安全措施,如流量加密、防火墙等,保护用户数据的安全性。
4. 稳定性高:机场通常采用专业的运维团队进行管理和维护,保证了服务的稳定性和可靠性。
5. 服务质量高:机场通常会提供完善的客户服务,及时解决用户的问题和反馈,提升用户的满意度。
所谓“机场”,就是“线路提供商”。他负责完成 1.4 提到的那一串技术操作和管理,用户则付费获得使用权。所以,它的优点至少有:
The so-called "airport" refers to the "line provider". They are responsible for completing the technical operations and management mentioned in section 1.4, while users pay for the right to use the service. Therefore, its advantages include at least:
1. **用户操作简单**:扫码操作、一键添加规则等
2. **线路选择多**:可解锁不同国家、地区的网络服务;比如 iplc 等专线服务、游戏加速服务等
3. **接入节点多**:所以抵抗节点封锁的能力强一些,封了一个就换下一个
1. **Simple User Operation**: Scan code operation, one-click rule addition, etc.
2. **Multiple Line Options**: Can unlock network services in different countries and regions, such as iplc dedicated line services, game acceleration services, etc.
3. **Multiple Access Nodes**: Therefore, it has a stronger ability to resist node blocking, if one is blocked, just switch to another one.
二、“机场”的风险
2. Risks of "Airport"
“方便”这枚硬币的另一面就是“风险”,基于“机场”的技术特点和市场情况,它的风险至少有:
"The other side of the coin of 'convenience' is 'risk'. Based on the technical characteristics and market conditions of the 'airport', its risks include at least:"
1. **“机场”可完全获得用户信息**:用户在网上的所有痕迹,都【必然】经过且【非常可能】长期存储在其服务器上,这些记录无法受到任何具备法律效力的用户隐私协议的约束(**窥视、记录你的一举一动**
2. **“机场”缺乏市场管理**:不可避免存在着以欺诈为目标的恶意商家(**主动跑路**
3. **“机场”面临监管压力**大机场相对有保障的同时也无法避免树大招风。2020 年间,已经有几个大机场停运、跑路的事件发生,用户的正常使用受到严重干扰(**被动跑路**
4. **“机场”技术水平难以确定**:线路质量良莠不齐,挂羊头卖狗肉的现象屡见不鲜(**速度慢、掉线多、连不上**
1. "Airport" can fully obtain user information: All the traces left by users online will inevitably and very likely be stored on their servers for a long time. These records cannot be restricted by any legally binding user privacy agreement. ("Snooping and recording your every move")
2. "Airport" lacks market management: There are inevitably malicious merchants who target fraud. ("Actively run away")
3. "Airport" faces regulatory pressure: While large airports are relatively secure, they cannot avoid attracting attention. In 2020, several large airports experienced shutdowns and runaways, seriously disrupting users' normal usage. ("Passively run away")
4. "Airport" technical level is difficult to determine: The quality of the line varies greatly, and the phenomenon of falsely advertising quality services is common. ("Slow speed, frequent disconnections, unable to connect")
## 1.6 那么你到底要不要自建呢?
## 1.6 So should you build your own website?
现在,你已经看到了机场的优势和风险,要用什么,就请各位充分思考并自行决定。毕竟,最适合你的方案才是最好的方案。
Now that you have seen the advantages and risks of the airport, please think carefully and make your own decision on what to use. After all, the best plan is the one that suits you best.
![It's Your Choice!](./ch01-img01-choice.png)
1. 如果决定使用机场的话,现在,你可以关闭本文了。
1. If you decide to use the airport, you can close this article now.
2. 如果你决定自建,那就请继续阅读后面的章节吧!!
2. If you decide to build it yourself, please continue reading the following chapters!
总之,本文的目标就是成为零基础用户的知识起点,提供对每一步充分的讲解和演示,清清楚楚(甚至**婆婆妈妈、絮絮叨叨、啰啰嗦嗦**)的协助新人完成【**从输入第一条命令开始,完成 VPS 服务器部署,并成功在客户端完成科学上网**】的全程。并在这个过程中帮助新人逐步接触和熟悉 Linux 的基础操作,为之后的进一步自学打下基础。
In short, the goal of this article is to serve as a starting point for users with zero experience, providing thorough explanations and demonstrations for each step, even if it may seem overly detailed or repetitive. The aim is to assist beginners in completing the entire process of deploying a VPS server from the first command input to successfully accessing the internet via the client, and gradually introducing them to basic Linux operations, laying a foundation for further self-learning.
## 1.7 题外啰嗦几句
## 1.7 Some digressions
1. 墙外的信息泥沙俱下,请务必学会理性、独立的思辨,不要随意站队,不要轻信猎奇的信息。
1. There is a wealth of information outside of the wall, so please learn to think rationally and independently. Don't take sides easily and don't believe in sensational information.
2. 衷心希望大家获得更顺畅的网络后,可以获取更新鲜的知识、更丰富的娱乐、接触更美好的世界、结交更多志同道合的朋友,但不要成为任何有不可告人目的之人的替罪羊。
2. We sincerely hope that with a smoother internet, everyone can access fresher knowledge, richer entertainment, experience a better world, and make more like-minded friends, but do not become a scapegoat for anyone with ulterior motives.
3. 你的互联网身份依然是你的身份,绝对的匿名化是极为困难的,所以请务必遵守你个人所在地区和 IP 所在地区的相关法律法规。无论何时,自我保护都是最基本的底线。
3. Your internet identity is still your identity, and achieving absolute anonymity is extremely difficult. Therefore, please be sure to comply with the relevant laws and regulations in your personal location and the location of your IP address. Self-protection is always the most basic bottom line.
## 1.8 你的进度
## 1.8 Your Progress
> ⬛⬜⬜⬜⬜⬜⬜⬜ 12.5%
> ⬛⬜⬜⬜⬜⬜⬜⬜ 12.5%

55
docs/en/document/level-0/ch02-preparation.md
View file

@ -1,55 +1,52 @@
# 【第 2 章】原料准备篇
# [Chapter 2] Preparation of Raw Materials
这一章比较特殊,因为涉及到金钱交易行为,本文基于项目的中立立场,不做具体的推荐。我能做的,是告诉你需要准备哪些东西。
This chapter is rather special because it involves monetary transactions. This article takes a neutral stance on the project and does not make specific recommendations. What I can do is to tell you what you need to prepare.
## 2.1 获取一台 VPS
## 2.1 Acquiring a VPS
你需要获取一台健康的、IP 没有被墙的 VPS并在管理后台做下面这些基础准备
You need to obtain a healthy VPS with an unblocked IP, and perform the following basic preparations in the management console:
1. 在 VPS 的后台安装 Debian 10 64bit 系统
2. 小本本记下 VPS 的 IP 地址(本文会用 `"100.200.300.400"` 来表示)
::: tip
这是一个故意写错的非法 IP请替换成你的真实 IP
:::
3. 小本本记下 VPS 的 SSH 远程登陆端口(Port)
4. 小本本记下 SSH 远程登录的用户名和密码
1. Install Debian 10 64-bit system in the backend of VPS.
2. Write down the IP address of VPS in a notebook (this article will use `"100.200.300.400"` as an example, which is an intentionally incorrect and illegal IP address. Please replace it with your real IP address).
3. Write down the SSH remote login port of VPS in a notebook.
4. Write down the username and password for SSH remote login in a notebook.
购买 VPS 是一个比较复杂的事情,建议先去学习一下相关知识,选择适合自己的经济能力和线路需求的即可。另外可以选择薅一些国际大厂的羊毛(比如甲骨文和谷歌提供的永久免费或限时免费的套餐)。总之,务必量力而行。
Buying a VPS is a relatively complex matter. It is recommended to first learn the relevant knowledge and choose one that suits your own economic ability and line requirements. In addition, you can choose to take advantage of some benefits offered by international giants (such as permanent free or limited-time free packages offered by Oracle and Google). In any case, you must act within your means.
::: tip 说明
关于选择 Debian 10 作为操作系统,这里稍微多说一句:不管你在网上听说了什么,不管哪个大神告诉你 XXX 版的 Linux 更好、XXX 版的 Linux 更牛,这些 Linux 的派系之争**跟现在的你半毛钱关系也没有**!使用 Debian 10 足以让你的 VPS 服务器在安全、稳健运行的同时得到足够的优化(如 cloud 专用内核、及时的 bbr 支持等)。等你对 Linux 熟悉之后,再回头去尝试其他的 Linux 发行版也不迟。
:::tip Explanation
Regarding the choice of Debian 10 as the operating system, let me elaborate a bit: No matter what you have heard online, no matter which guru has told you that XXX version of Linux is better or XXX version of Linux is more powerful, these sectarian disputes have **nothing to do with you right now**! Using Debian 10 is enough to optimize your VPS server for security, stability, and performance (such as using cloud-optimized kernel, timely support of BBR, etc.). After you become familiar with Linux, you can try other Linux distributions.
:::
## 2.2 获取一个心仪的域名
## 2.2 Obtaining a Desired Domain Name
你需要获取一个域名、并在 DNS 设置中添加一条 A 记录,指向你 VPS 的 IP 地址
You need to obtain a domain name and add an A record in the DNS settings, pointing to the IP address of your VPS.
1. 请选择靠谱的国际域名服务商。选择一些常见的域名后缀就行,注意不要用 `.cn` 后缀。
2. 在 DNS 设置中,添加一条指向你 VPS 的 IP 地址的 A 记录A 记录的名字可以随便起,本文会用 `"a-name"` 来表示。完整的域名则会用 `"二级域名.你的域名.com"` 或者 `"a-name.yourdomain.com"` 来表示)。效果如下图:
1. Please choose a reliable international domain name service provider. Choose some common domain name suffixes, and make sure not to use the `.cn` suffix.
2. In the DNS settings, add an A record pointing to the IP address of your VPS (the name of the A record can be anything, and in this article, it will be represented by `"a-name"`). The complete domain name will be represented by `"subdomain.yourdomain.com"` or `"a-name.yourdomain.com"`. The effect is as shown in the picture below:
![添加A记录](./ch02-img01-a-name.png)
![Add A Record](./ch02-img01-a-name.png)
::: tip
这**不是**一个真实可用的网址,请替换成你的真实网址
This is **not** a real usable website. Please replace it with your real website URL.
:::
## 2.3 你本地电脑上需要安装的软件
## 2.3 Software you need to install on your local computer
1. SSH 远程登录工具
1. SSH remote login tool
- Windows: [PuTTY](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html)
- Windows: [PuTTY](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html)
- macOS/Linux: Terminal
2. 远程文件拷贝工具
2. Remote file copying tool
- Windows: [WinSCP](https://winscp.net/eng/index.php)
- Windows: [WinSCP](https://winscp.net/eng/index.php)
- macOS/Linux: Terminal
3. 靠谱的文本编辑器
3. Reliable text editor
- Windows/macOS/Linux: [VSCode](https://code.visualstudio.com)
## 2.4 你的进度
## 2.4 Your Progress
如果上面的原材料你都准备好了的话,你已经拿到了开启新世界大门的钥匙。那还等什么,让我们快点进入下一章,走进这扇门吧!
If you have all the raw materials ready as mentioned above, you have already obtained the key to unlocking the door to a new world. So, what are you waiting for? Let's quickly move on to the next chapter and step through this door!
> ⬛⬛⬜⬜⬜⬜⬜⬜ 25%
> ⬛⬛⬜⬜⬜⬜⬜⬜ 25%

100
docs/en/document/level-0/ch03-ssh.md
View file

@ -1,85 +1,89 @@
# 【第 3 章】远程登录篇
# [Chapter 3] Remote Login
## 3.1 远程登录 VPS (PuTTY)
## 3.1 Remote Login to VPS (PuTTY)
首先,鉴于零基础人群中 Windows 的用户基数最大,所以本文以 Windows 为例进行展示。
First of all, considering that the user base of Windows is the largest among the zero-based population, this article uses Windows as an example for demonstration.
其次,虽然 Windows 10 之后的 PowerShell 和 WSL 也可以达到很好的 SSH 操作体验。但是因为并非所有版本的 Windows 都有最新的组件,故本文还是以老牌的 PuTTY 为例,进行 SSH 远程登录的操作详解。(使用其他工具的话、在 SSH 登陆之后的操作都是一样的)
Secondly, although PowerShell and WSL after Windows 10 can also achieve a good SSH operation experience, not all versions of Windows have the latest components. Therefore, this article uses the classic PuTTY as an example to provide a detailed explanation of SSH remote login operation. (If you use other tools, the operations after the SSH login are the same.)
下面就跟我一步步操作吧。
Follow me step by step and let's start the operation.
1. 进入 PuTTY 的[官网](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html),选择适合你操作系统的版本下载。(本文以 64 位版本为例)
1. Go to the [official website](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) of PuTTY and download the version that suits your operating system (this article uses the 64-bit version as an example).
![下载PuTTY](./ch03-img01-putty-download.png)
![Download PuTTY](./ch03-img01-putty-download.png)
2. 安装运行后,将会看到 PuTTY 的主界面。现在请拿出你上一章记东西的[小本本](./ch02-preparation.md#21-%E8%8E%B7%E5%8F%96%E4%B8%80%E5%8F%B0vps),在下图的对应位置填入你 VPS 的**IP 地址(VPS IP)**和**端口(VPS PORT)**。为了方便以后使用时不用重复输入,我们可以保存会话 (Saved Sessions),未来使用时只要按 Load 即可一键载入设置。
2. After installation and running, you will see the main interface of PuTTY. Now please take out your notebook from the previous chapter where you wrote down the **IP address (VPS IP)** and **port (VPS PORT)** of your VPS in the corresponding positions of the following figure. In order to save time and avoid repeatedly entering these details in the future, we can save the session (Saved Sessions), and simply load it in the future with one click.
![设置PuTTY](./ch03-img02-putty-settings.png)
![PuTTY Settings](./ch03-img02-putty-settings.png)
3. 我建议将 `Connection` 中的 `keepalive` 设置为 `60` 秒,防止你一段时间没有操作之后 SSH 自动断线。另外务必再次保存设置。
3. I suggest setting `keepalive` to `60` seconds in the `Connection` to prevent SSH from automatically disconnecting after a period of inactivity. Be sure to save the settings again.
![防止频繁断线](./ch03-img03-putty-keepalive.png)
![Prevent frequent disconnection](./ch03-img03-putty-keepalive.png)
::: warning 注意
对 PuTTY 的任何设置更新都要再次手动保存 Session不然关闭后就会丢失
::: warning Attention
Any update to the PuTTY configuration needs to be manually saved to the session again. Otherwise, it will be lost after closing.
:::
4. 点击 Open 就会进入 SSH 连接窗口,对应下图输入用户名与密码,与你的 VPS 远程主机建立连接。(本文假设默认用户名是 `root`,另外,在 Linux 系统输入密码的时候,是不会出现 `******` 这种提示符的,这样可以避免密码长度泄漏,不是你的键盘坏掉了哦!)
4. Click on Open to enter the SSH connection window, then enter the username and password corresponding to the following figure to establish a connection with your VPS remote host. (This article assumes that the default username is `root`. Also, when entering a password in the Linux system, there will be no prompt like `******`, which can avoid password length leakage. It's not that your keyboard is broken!)
![SSH远程登录](./ch03-img04-ssh-login.png)
![SSH Remote Login](./ch03-img04-ssh-login.png)
## 3.2 成功登录 SSH初识命令行界面
## 3.2 Successfully Logging in SSH! Introduction to Command Line Interface!
1. 如果你的信息都填写正确,你将会看到类似下图的界面,说明已登录成功:
1. If you have filled in your information correctly, you will see a similar interface as the picture below, indicating that you have successfully logged in:
![初次登录VPS](./ch03-img05-ssh-login-success.png)
![Logging in to VPS for the first time](./ch03-img05-ssh-login-success.png)
这个界面,就等于远程服务器的【桌面】,但它没有你熟悉的图标和鼠标,没有绚丽的色彩,有的只是简单文字,这就是【**命令行界面**】- `Command Line Interface`,或者缩写为 `CLI`
This interface is equivalent to the "desktop" of a remote server, but it does not have familiar icons and a mouse, nor does it have colorful graphics. Instead, all you see is simple text. This is the "**Command Line Interface**" - shortened as `CLI`.
接下来的所有操作,都需要你像电影里的黑客一样,在这个命令行界面中完成。也许你会觉得陌生,但请相信我,使用命令行既不可怕,也不神秘。说到底,它只不过是把你习惯的鼠标操作变成了文字指令而已,**你说一句,它做一句**。
All the following operations require you to act like a hacker in a movie and complete them in this command-line interface. Maybe you will feel unfamiliar, but please believe me, using the command-line interface is neither scary nor mysterious. In the end, it just turns your familiar mouse operations into textual commands, **you say it, it does it**.
2. 现在,你可以稍微观察并熟悉一下命令行环境,这个界面其实已经告诉了你一些有用的信息了,比如系统内核版本(比如图内是 `4.19.37-5`)、上次登录时间及 IP 等。当然根据 VPS 的不同,你看到的界面可能会略有不同。
2. Now, you can observe and familiarize yourself with the command line environment a little bit. This interface has actually provided you with some useful information, such as the system kernel version (e.g. `4.19.37-5` in the picture), last login time and IP address. Of course, depending on the VPS, the interface you see may be slightly different.
3. 请注意命令行最下面一行,闪动的光标左边,有一串字符。图中显示的是`root@vps-server:~#`,这一串要怎么理解呢?很简单:
3. Please pay attention to the line at the bottom of the command line, to the left of the flashing cursor, there is a string of characters. The one shown in the figure is `root@vps-server:~#`. How to understand this string? It's very simple:
- 现在的用户是 `root`
- `root` 所在的服务器是 `vps-server`
- `root` 现在所在的文件夹是 `~`
- `#` 之后是你可以输入命令的地方
- The current user is `root`
- The server where `root` is located is `vps-server`
- The current directory where `root` is located is `~`
- After `#` is the place where you can input commands.
前两个很直观,无需多说。第三个是关于 Linux 的文件夹系统,现在也不需要过于深入,你只需要知道,"`~`"就是【当前用户的大本营】。第四个,提示符`#`,你也不用管,只需要知道,未来文章中会写一些需要你输入的命令,都会以 "`#`" 或者 "`$`" 开头,提示你**后面**是你输入命令的地方。(所以你复制命令的时候,**只需要复制后面的内容**,不要复制提示符)
The first two are pretty straightforward, no need to explain further. The third one is about the folder system in Linux. You don't need to go too deep into it for now. Just know that "`~`" represents **the home directory of the current user**. As for the fourth one, the prompt symbol "`#`", you don't need to worry about it either. Just know that in future articles, there will be some commands that you need to input, and they will be preceded by "`#`" or "`$`" to indicate **where you should input the command**. (So when you copy the command, **just copy the content after the prompt symbol** and don't copy the prompt symbol itself.)
## 3.3 第一次更新 Linux 的软件!
## 3.3 Updating software on Linux for the first time!
1. 正如你的手机,无论安卓还是 iPhone为了 APP 及时更新(获取安全补丁和新功能),都会时不时从应用商店获得更新信息,并且提示你有多少个 APP 可更新。Linux 系统也有逻辑十分类似的更新机制。所以只要你会更新手机 APP就能学会更新 Linux 软件!
1. Just like your phone, whether it's Android or iPhone, in order to keep your apps up-to-date (to get security patches and new features), you will occasionally receive update notifications from the app store, telling you how many apps need to be updated. Linux systems also have a similar update mechanism that works logically. So as long as you know how to update phone apps, you can learn how to update Linux software!
2. Linux 下,每个 APP 都叫做一个“包” package。管理 APP 的程序自然就叫做“包管理器”Package Manager。你可以通过它安装、更新、卸载各种软件、甚至更新 Linux 系统本身。Linux 下的包管理器非常强大,此处按下不表,现在你只需要知道 Debian 系统的包管理器叫做 `apt` 即可。接下来,我们就先使用 `apt` 做一次软件的全面更新,让你熟悉它的基本操作。
2. In Linux, each application is called a "package". The program that manages the applications is naturally called a "package manager". You can use it to install, update, and uninstall various software, and even update the Linux system itself. Package managers in Linux are very powerful, but we won't go into details here. For now, you only need to know that the package manager for the Debian system is called `apt`. Next, we will first use `apt` to do a comprehensive update of the software to familiarize you with its basic operations.
3. 小小白白 Linux 基础命令:
3. Tiny White Linux Basic Commands:
| 编号 | 命令名称 | 命令说明 |
| :------: | :-----------: | :----------: |
| `cmd-01` | `apt update` | 查询软件更新 |
| `cmd-02` | `apt upgrade` | 执行软件更新 |
| Number | Command Name | Command Description |
| :------: | :-----------: | :----------------------: |
| `cmd-01` | `apt update` | Query software updates |
| `cmd-02` | `apt upgrade` | Perform software updates |
4. 现在请输入第一条命令,获取更新信息
4. Now, please enter the first command to get update information.
```shell
apt update
```
```shell
apt update
```
5. 然后请输入第二条命令,并在询问是否继续安装 `(Y/n)` 时输入 `y` 并回车确认,开始安装
This is a command used in a Linux terminal to update the package list from the repositories configured on the system.
```shell
apt upgrade
```
5. Then enter the second command, and when asked if you want to continue installing `(Y/n)`, type `y` and press enter to confirm and start the installation.
6. 完整流程演示如下:
```shell
apt upgrade
```
![初次软件更新流程演示](./ch03-img06-apt-upgrade-full.gif)
This is a command in the shell terminal to upgrade the installed packages on a Debian or Ubuntu Linux system.
## 3.4 你的进度
6. The complete demonstration of the process is as follows:
**恭喜你又迈出了坚实的一步!** 现在,你已经可以通过 SSH 来登录你的远程服务器了!那登录进去之后,除了升级软件之外,应该再做点什么呢?敬请进入下一章一探究竟吧!
![Demonstration of the software update process for the first time](./ch03-img06-apt-upgrade-full.gif)
> ⬛⬛⬛⬜⬜⬜⬜⬜ 37.5%
## 3.4 Your Progress
**Congratulations on taking another solid step!** Now, you can log in to your remote server via SSH! After logging in, besides upgrading the software, what else should you do? Please enter the next chapter to find out!
> ⬛⬛⬛⬜⬜⬜⬜⬜ 37.5%

549
docs/en/document/level-0/ch04-security.md
View file

@ -1,329 +1,346 @@
# 【第 4 章】安全防护篇
# [Chapter 4] Security and Protection
## 4.1 为什么要做安全防护
## 4.1 Why Do We Need Security Protection?
Linux 服务器的安全防护是一个纷繁复杂的巨大课题。无数的网站、APP、服务、甚至线下基础设施都建立在 Linux 的基石之上,这背后牵涉到巨大的经济利益和商业价值,当然也就就意味着黑灰产有巨大的攻击动力。但是这些服务是如此重要、根本不允许出现重大的安全漏洞。于是无数的运维专业人员都在安全攻防的战场上拼搏努力,这才让大家能享受到基本稳定的现代化数字生活。
Security protection for Linux servers is a complex and huge subject. Countless websites, apps, services, and even offline infrastructure are built on the foundation of Linux, which involves huge economic benefits and commercial value. This also means that there is a huge motivation for black and gray industries to launch attacks. However, these services are so important that major security vulnerabilities are not allowed. Therefore, countless operation and maintenance professionals are working hard on the battlefield of security attacks and defense, which enables us to enjoy a basic stable modern digital life.
现在,你拥有了一台 VPS并且将会敞开他的数据访问渠道来达到流量转发的目标那就相当于你已经置身于安全攻防战场的第一线、直面所有风险。但与此同时新人由于知识和信息的不足看待安全问题是总是难免两极分化要么觉得轻如鸿毛和自己没有半点关系要么觉得重于泰山甚至惶惶不可终日。
Now, you have a VPS and will open its data access channel to achieve the goal of traffic forwarding, which means you are now on the front line of the security battle and face all risks. However, at the same time, newcomers tend to have a polarized view of security issues due to lack of knowledge and information: either they feel it is as light as a feather and has nothing to do with them, or they feel it is as heavy as Mount Tai and feel anxious all day long.
- 对于前者,我的建议是:安全无小事,尽量多查一些安全方面的信息,免得自己真的受了损失才后悔莫及
- For the former, my suggestion is: safety is of utmost importance. Try to gather more information on safety issues to avoid regretting after experiencing losses.
- 对于后者,我的建议是:不用紧张,我们的服务器仍不具有太高的价值、一般不会吸引到高水平的攻击,需要面对的基本都是一些自动化脚本的恶意扫描和登录尝试,跟着本文做一些基础的防护即可
- For the latter, my suggestion is: don't worry too much, our servers still don't have too much value and generally won't attract high-level attacks. The basic threats we need to face are mostly malicious scans and login attempts from some automated scripts. Just follow this article to do some basic protection.
## 4.2 具体的风险到底是什么
## 4.2 What are the specific risks
就像我们在《远程登录篇》配置的一样任何人只需要知道【IP 地址】+【端口】+【用户名】+【密码】这四个要素,就能登录你的 VPS 服务器。那很显然,这四要素的安全就是我们要防护的底线。我们来逐一分析:
Just like the configuration we did in the "Remote Login" section, anyone who knows the four elements of [IP address] + [port] + [username] + [password] can log in to your VPS server. So obviously, the security of these four elements is the bottom line that we need to protect. Let's analyze them one by one:
1. 【IP 地址】:恶意脚本会随机尝试和扫描 IP 段,可以简单认为是公开信息、无法隐藏
1. [IP Address]: Malicious scripts randomly attempt to scan IP ranges, which can be regarded as public information and cannot be hidden.
2. 【端口】:如果使用默认端口,那么【端口 = `22`
2. [Port]: If you are using the default port, then [Port = `22`].
3. 【用户名】:如果使用默认用户,那么【用户名 = `root`
3. [Username]: If using the default user, then [Username = `root`]
4. 【密码】:密码不存在默认值,一定是由 VPS 后台随机生成或由你自行设置的。也就是说,如果你的服务器都是默认设置,则四要素中的三个已经是已知的,那么你整个服务器的安全,就全部寄托在一串小小的密码上了。这时有几种情况:
4. [Password]: There is no default value for the password. It must be randomly generated by the VPS backend or set by you. In other words, if all the settings of your server are default, then three of the four elements are already known. Therefore, the security of your entire server relies on a small password. In this case, there are several situations:
- 如果你用了 VPS 管理后台随机生成密码,它一般包含随机的十几个大小写混杂的字母和符号,相对比较安全
- If you use a VPS management background to generate passwords randomly, it usually contains random uppercase and lowercase letters, symbols, and is relatively secure.
- 如果你为了好记、把密码改成了类似`123456`这种超弱的密码,破解你的 VPS 服务器可谓不费吹灰之力
- If you changed your password to something super weak like `123456` just for the sake of easy memorization, hacking into your VPS server would be a piece of cake.
- 如果你为了好记、把密码改成了比较复杂、但在别的地方用过的密码,其实也并不安全。你要明白黑客手里有作弊器,比如说`密码表`,包含数万、数十万、数百万甚至更多曾经泄漏的真实密码)
- If you change your password to a more complex one that you have used elsewhere just for the sake of easy memory, it is not really safe. You should understand that hackers have cheats in their hands, such as `password tables`, which contain tens of thousands, hundreds of thousands, millions, or even more real leaked passwords.
5. 但你要明白,没有哪个黑客真的要坐在电脑前一次一次的尝试你的密码,全部的攻击尝试都是恶意脚本自动进行的,它会 24 小时不眠不休的工作。也许每天你酣睡之时,你的服务器都在经受着一轮又一轮的冲击。
5. But you should understand that no hacker really sits in front of a computer and tries your password repeatedly. All attack attempts are carried out automatically by malicious scripts, which work tirelessly for 24 hours. Perhaps while you are sleeping soundly every night, your server is enduring round after round of attacks.
一旦密码被成功撞破,意味着你的四要素全部被攻击者掌握,恶意脚本就会快速登录服务器、获取服务器的最高 `root` 控制权、安装部署它的恶意服务,然后就可以用你的服务器来 24 小时做各种坏事(比如挖矿、传播病毒、发送垃圾邮件、欺诈邮件、做 BT 中继、甚至暗网公众节点等等等等)。如果恶意脚本比较克制,其实可以做到相当的隐蔽性。而新人一般也不会去观察留意 VPS 的登录记录、进程变化、CPU 占用变化、流量变化等指标,你其实就很难发现自己被黑了。直到你的 VPS 服务商封禁你的账号、或者收到律师函为止。
Once the password is successfully cracked, it means that all four of your elements have been mastered by the attacker. The malicious script will quickly log in to the server, obtain the highest `root` control of the server, install and deploy its malicious services, and then use your server to do all kinds of bad things 24 hours a day (such as mining, spreading viruses, sending spam emails, fraudulent emails, acting as a BT relay, and even dark web public nodes, and so on). If the malicious script is relatively restrained, it can actually achieve considerable concealment. Generally, newcomers will not observe and pay attention to indicators such as login records, process changes, CPU usage changes, and traffic changes of the VPS, so it is difficult for you to discover that you have been hacked. Until your VPS service provider blocks your account or you receive a lawyer's letter.
6. 别忘了,你获得 VPS 时大概率需要使用真实的支付信息,你登录各种网站、社交平台时也会留下你的 IP 地址,这些都与你的身份有直接或者间接的关系。于是,**一旦这些坏事发生,它们就不可避免的与你产生了关联。**
6. Don't forget that when you obtain a VPS, you probably need to use your real payment information, and when you log in to various websites and social platforms, your IP address will also be recorded, which has a direct or indirect relationship with your identity. Therefore, once these bad things happen, they will inevitably be associated with you.
## 4.3 我们要做的安全防护有哪些
## 4.3 What security measures do we need to take
基于上述分析,我们要做的,自然就是对【端口】、【用户名】、【密码】这三要素进行加强,来降低被攻破的风险:
Based on the above analysis, what we need to do is to strengthen the three elements of [port], [username], and [password] to reduce the risk of being hacked.
1. 【端口】:将 SSH 远程登录端口修改为【非 22 端口】 4.4
2. 【用户名】:建立【非 root】的新用户、并禁用 root 用户 SSH 远程登录 4.5、4.6
3. 【密码】SSH 启用 RSA 密钥验证登录、同时禁用密码验证登录 4.7
1. [Port]: Modify the SSH remote login port to a [non-22 port] (4.4).
2. [Username]: Create a [non-root] new user and disable root user SSH remote login (4.5, 4.6).
3. [Password]: Enable RSA key verification for SSH login and disable password verification login (4.7).
记得按顺序来,别把自己锁在门外了。
Remember to follow the order and don't lock yourself out.
## 4.4 将 SSH 远程登录端口修改为非 22 端口
## 4.4 Change the SSH Remote Login Port to a Non-22 Port
现在,我们来解决【端口 = `22`】的问题。(注意:有些 VPS 服务商,默认的端口已经是非 22 端口,那么你可以忽略这一步,当然也可以跟着本文改成别的端口)
Now, let's solve the problem of "port = `22`". (Note: some VPS service providers have non-22 ports set as default, so you can ignore this step if that's the case. Of course, you can also follow this article to change it to another port.)
1. 小小白白 Linux 基础命令:
1. Basic commands of Little White Linux:
| 编号 | 命令名称 | 命令说明 |
| :------: | :-----------------: | :----------: |
| `cmd-03` | `nano` | 文本编辑器 |
| `cmd-04` | `systemctl restart` | 重启某个服务 |
| ID | Command Name | Description |
| :------: | :-----------------: | :---------------: |
| `cmd-03` | `nano` | Text editor |
| `cmd-04` | `systemctl restart` | Restart a service |
2. 小小白白 Linux 基础配置文件
2. Basic Configuration Files of Little White Linux
| 编号 | 配置文件位置 | 文件说明 |
| :-------: | :--------------------: | :------------------: |
| `conf-01` | `/etc/ssh/sshd_config` | SSH 远程登录程序设置 |
| Number | Configuration File Location | File Description |
| :-------: | :-------------------------: | :-------------------------------: |
| `conf-01` | `/etc/ssh/sshd_config` | SSH Remote Login Program Settings |
3. 我们要做的第一件事,当然就是【用`nano`这个文本编辑器打开`SSH远程登录程序设置`】,在 Windows 下,你会【找到文件并双击】,在 Linux 下该怎么办呢?仔细看看上面的命令说明,是不是就很简单了?没错,就是:
3. The first thing we need to do, of course, is to [open the SSH remote login program settings with the text editor `nano`]. In Windows, you will [find the file and double-click] it. What should you do in Linux? Take a close look at the command instructions above, isn't it simple? Yes, it is:
```shell
nano /etc/ssh/sshd_config
```
```shell
nano /etc/ssh/sshd_config
```
4. 文件打开后,你就进入了`nano`的界面,稍微观察一下,你会发现,它把重要的快捷键都显示在屏幕下方了(下图红框内),直接开卷考试、不用死记硬背,是不是很贴心呢?
This is a command in the shell terminal to open the `sshd_config` file located in the `/etc/ssh/` directory using the `nano` text editor.
![nano的界面](./ch04-img01-nano-ui.png)
4. Once the file is opened, you will enter the interface of `nano`. After observing for a while, you will find that it displays important shortcut keys at the bottom of the screen (enclosed in a red box in the figure below). You can take the exam directly without memorizing them, which is very user-friendly, isn't it?
5) 我们要做的第二件事,是【在打开的文件中找到`Port`这一项并修改它的端口】。Port 后面的数字就是 SSH 的端口,一般建议把它改成一个大于`1024`小于`65535`的整数(本文以`9753`为例)。请结合`nano`的快捷键,想一下该怎么操作呢?果然,你又说对了!就是:
![Interface of nano](./ch04-img01-nano-ui.png)
- 使用 `ctrl+w` 进入搜索模式,然后输入 `Port 22` 并回车
- 删除 `22` 并改成 `9753`
- 说明:如果这一行开头有个`#`,证明这一行【不生效】(被注释掉了),你可像我一样在文件最后写一个不带`#`的,或者把`#`删掉就好。
5) The second thing we need to do is to **find the `Port` item in the opened file and modify its port**. The number after `Port` is the SSH port. It is generally recommended to change it to an integer greater than `1024` and less than `65535` (this article takes `9753` as an example). Please think about how to operate it with the shortcut keys of `nano`. You are right again! It is:
::: warning
本文以`9753`为例,就意味着随着本文的发布,这个端口会变成一个不大不小的特征,也许会被攻击者优先尝试、也许被 GFW 干扰、阻断。所以我强烈建议你用一个自己想到的其他端口,毕竟,你有 6 万多个端口可以自由选择。
:::
6. 我们要做的第三件事,是【保存文件并退出】
- 如果第 3 步你有仔细观察,就会发现保存并不是常见的 `ctrl+s`
- 正确的快捷键:保存是 `ctrl+o` + `回车`,退出是 `ctrl+x`
7. 我们最后要做的事,是【重启 ssh 服务,使变更生效】
```shell
systemctl restart ssh
```
8. 完整流程演示如下:
![修改非22端口演示](./ch04-img02-sshd-conf-full.gif)
9. 修改 PuTTY 配置
现在新的端口已经生效,下次使用 PuTTY 登录时就要用`9753`了。所以现在请到 PuTTY 的设置中修改端口号码,然后保存 Session。嗯你应该知道去哪里改了吧如果不知道的话要重读前面的内容了哦
## 4.5 建立非 root 的新用户
第二步,我们来解决【用户名 = `root`】的问题。
首先你要理解, Linux 系统中的`root`,不仅仅是一个管理员账号那么简单。它是整个系统的【根基】、是系统的主宰、至高无上的神。一旦`root`账号出现安全问题,整个系统都只能任人鱼肉、无处可逃。那么就跟随我进行操作吧:
1. 小小白白 Linux 基础命令:
| 编号 | 命令名称 | 命令说明 |
| :------: | :-----------: | :--------------------------: |
| `cmd-05` | `adduser` | 给系统新增用户 |
| `cmd-06` | `apt install` | 安装某个软件 |
| `cmd-07` | `visudo` | 修改 sudo 权限设置专用编辑器 |
2. 我们要做的第一件事,是【新增一个用户并设定登录密码】,名字你可以随便起,我这里以`vpsadmin`为例:
```shell
adduser vpsadmin
```
执行命令后,根据提示操作即可。请务必设置一个用户密码(别忘记设置密码时你时看不到 `******` 的)。之后系统会询问你一些用户的附加信息,这些就可以无视,一路回车即可。
![建立新用户](./ch04-img03-adduser.png)
::: warning
本文以`vpsadmin`为例,就意味着随着本文的发布,这个用户名也会变成一个不大不小的特征,也许会被攻击者优先尝试。所以和端口一样,我强烈建议你用一个自己想到的其他用户名。
:::
3. 完整流程演示如下:
![建立新用户](./ch04-img04-adduser-full.gif)
4. 我们要做的第二件事,是【安装`sudo`功能】(`sudo` 就是在关键时刻,让普通账户临时获得 `root` 的神力,战力全开拯救世界)
```shell
apt update && apt install sudo
```
聪明的你大概已经发现,这一行命令其实是两个命令。前一半 `apt update` 你之前已经见过并且用过了,是去服务器刷新软件版本信息。后面的 `apt install`
就是这一次要用到的【安装命令】。两条连接在一起,就是让系统去【刷新可用的最新软件,然后安装最新版的`sudo`程序】。 `&&` 则是把两个命令连起来执行的意思。
5. 我们要做的第三件事,是【把`vpsadmin`用户加入`sudo`名单里,让他有资格借用`root`的神力】
```shell
visudo
```
`User Privilege Specification` 下加入一行 `vpsadmin ALL=(ALL) NOPASSWD: ALL` 即可。
::: warning
我要特别说明的是`NOPASSWD`这个设置,它的意思是`vpsadmin`用户临时使用`root`权限时,不用额外输入密码。**这与一般的安全建议相反**。我之所以如此推荐,是因为很多新人不顾危险坚持使用`root`账号就是因为用`root`时不用重复输入密码、觉得轻松。“两害相权取其轻”,我认为【直接用`root`用户的风险】大于【使用`sudo`
时不用输密码的风险】,所以做了以上的建议。
如果你希望遵守传统习惯、每次使用`sudo`时需要输入密码,那么这一行改成 `vpsadmin ALL=(ALL:ALL) ALL` 即可。
:::
6. 完整流程演示如下:
![建立新用户](./ch04-img05-sudo-full.gif)
## 4.6 禁用 root 用户 SSH 远程登录
1. 现在你已经逐渐熟悉 Linux 了,所以这次换你思考,我们要做的第一件事是什么呢?没错,还是【用`nano`编辑器打开`SSH远程登录程序设置`】,什么,你想不起来怎么操作了?那去复习一下上面的内容再回来吧!............ 正确答案:
```shell
nano /etc/ssh/sshd_config
```
2. 找到`PermitRootLogin Yes`这一项,然后把它后面的设定值改为`no`即可。还记得怎么操作吗?............ 正确答案:
- 使用 `ctrl+w` 进入搜索模式,然后输入 `PermitRootLogin` 并回车
- 删除 `yes` 并改成 `no`
3. 保存文件并退出。还记得怎么操作吗?............ 正确答案:
- 保存是 `ctrl+o`,然后 `回车` 确认
- 退出是 `ctrl+x`
4. 重启 ssh 服务,让变更生效。还记得............ 算了直接公布正确答案:
```shell
systemctl restart ssh
```
5. 完整流程演示如下:
![禁用root用户SSH远程登录](./ch04-img06-ssh-no-root-full.gif)
6. 下次通过 PuTTY 远程 SSH 登录的时候,`root`用户已无法连接,用户名就要换成`vpsadmin`了!方便起见,我们可以在 PuTTY 中把`vpsadmin`设置成默认登录用户名。(啰嗦君:别忘了保存 Session
![PuTTY设置默认用户名](./ch04-img07-putty-default-user.png)
## 4.7 使用 RSA 密钥登录并禁用密码登录
第三步,我们来解决【密码】可能被撞破的问题。
前面我说过,黑客并不是很蠢的用穷举法破解你的密码,而是会用一些比如“密码表”的作弊手段。除非你用的是随机生成的超长密码(比如借助 1Password或者 macOS 的 keychain 等密码管理工具),否则很容易中招。
超长随机密码虽然安全性有所提高,但是基本上无法记忆,手动输入也十分麻烦易错。为了解决这个困境,我们可以直接弃用【密码验证】方式,改用更安全的【密钥验证】。
所谓的【密钥验证】,就是生成【一对】相关联的密钥文件(公钥和私钥),然后把【公钥】上传到 VPS 备用。每次登录时SSH 会将【公钥】和【私钥】进行匹配,若验证是正确的【密钥对】,则验证通过。(换言之,你无需记忆和输入复杂的密码,只要保护好【私钥】这个文件不外泄即可)
- Use `ctrl+w` to enter search mode, then type `Port 22` and press Enter
- Delete `22` and replace it with `9753`
- Note: If this line starts with `#`, it means that this line is [commented out] and [does not take effect]. You can write a new line at the end of the file without `#`, or delete the `#` to enable this line.
::: warning
本文以 `RSA` 密钥举例,是因为 `RSA` 密钥在各种设备、各种 `SSH` 客户端中有广泛悠久的支持历史,且目前依然能提供够用的安全性。但它绝非唯一选择。
其他的常见密钥还有:
- `DSA` - 已经从数学层面被证明不安全,所以永远不要用它
- `ECDSA` - 密钥小安全性高,但其算法被指留有 NSA 的后门,如果你的 VPS 上有值得 NSA 关注的东西就不要用它
- `Ed25519` - 这是一个与 `ECDSA` 十分类似的算法,故具有相似的性能优势。同时其文档全部公开,所以普遍认为无后门
所以,如果你的设备和软件都支持的话,我建议优先选择 `Ed25519` 密钥。
This article uses `9753` as an example, which means that with the release of this article, this port will become a feature that may be prioritized or blocked by attackers or the Great Firewall of China. Therefore, I strongly recommend that you use another port that you come up with yourself, after all, you have over 60,000 ports to choose from freely.
:::
那我们现在就来配置【密钥验证】吧!
6. The third thing we need to do is to [save the file and exit].
1. 运行`PuTTYgen` (PuTTY 密钥生成器)。位置是 `开始菜单` --> `所有程序` --> `PuTTY (64-bit)` --> `PuTTYgen`
- If you observed carefully in step 3, you would have noticed that saving is not done by the common `ctrl+s`.
- The correct shortcut keys: save is `ctrl+o` + `enter`, and exit is `ctrl+x`.
1. 点击`Generate`开始生成(在界面空白处乱晃鼠标增加随机数)
7. The last thing we need to do is to [restart the SSH service to make the changes take effect].
![生成密钥](./ch04-img08-puttygen-save.png)
```shell
systemctl restart ssh
```
::: warning
本图中是以 `2048` 位的 `RSA` 密钥为例的。但实际上,如果要获得与 `EDCSA/Ed25519``256` 位密钥相同的安全性,你需要使用 `3072` 位的 `RSA` 密钥。(即右下角的数字改成 `3072`
:::
This is a shell command to restart the SSH service.
2. 你可以给私钥设置密码,增加一层安全性
3. 点击 `Save public key` 保存公钥,文件名为 `id_rsa.pub`
4. 点击 `Save private key` 保存私钥,文件名为 `id_rsa` (PuTTY 私钥自带`.ppk`后缀)
5. 最重要的,将上方红框内的内容,向下滚动全部复制出来并保存,文件名为 `authorized_keys`。(用 vscode 保存,默认会变成带`txt`后缀的文本文件,这没关系,之后上传 VPS 时我们会把后缀名去掉)
8. The complete process demonstration is as follows:
![保存密钥](./ch04-img09-puttygen-save-keys.png)
![Demonstration of modifying non-22 port](./ch04-img02-sshd-conf-full.gif)
2. 将公钥上传至 VPS 的`vpsadmin`用户下
9. Modify PuTTY Configuration
1. 这一步就需要用到之前准备的`WinSCP`了。
2. 去[官网](https://winscp.net/eng/index.php)下载并安装,会提示你导入 PuTTY 的设置,当然一键导入啦!
"Now that the new port is in effect, you will need to use `9753` the next time you log in with PuTTY. So please go to the PuTTY settings to change the port number and save the session. Well, you should know where to change it, right? (If you don't know, you need to reread the previous content!)"
![一键导入Session](./ch04-img10-winscp-import-session.png)
## 4.5 Creating a New User Without Root Access
3. 如果没有提示导入或者你已经提前安装好了,那按照下图进行配置即可
In the second step, let's solve the issue of the username being `root`.
![WinSCP登录设置](./ch04-img11-winscp-ui.png)
Firstly, you need to understand that `root` in Linux system is not just a simple administrator account. It is the foundation of the entire system, the ruler and the supreme god of the system. Once the `root` account has security issues, the entire system will be vulnerable and there will be nowhere to hide. So, let's follow me to carry out the operations:
4. WinSCP 左边的目录就是本地电脑上的文件夹和文件,请定位到密钥所在的文件夹
1. Little White Linux Basic Commands:
5. WinSCP 右边的目录则是 VPS 服务器上的文件夹和文件,默认就在 `/home/vpsadmin/` 文件夹,此时在请点击右下角 `X hidden` 来显示隐藏文件
| Number | Command Name | Command Description |
| :------: | :-----------: | :-----------------------------------------------: |
| `cmd-05` | `adduser` | Add new user to the system |
| `cmd-06` | `apt install` | Install a software package |
| `cmd-07` | `visudo` | Special editor to modify sudo permission settings |
![本地和远程文件夹](./ch04-img12-winscp-locations.png)
2. The first thing we need to do is to [add a new user and set a login password]. You can choose any name you want, here I will use `vpsadmin` as an example:
6. 在右边VPS 中)点击右键并新建文件夹,起名`.ssh` (注意有一个`.`
```shell
adduser vpsadmin
```
![在VPS中建立放置公钥的文件夹](./ch04-img13-winscp-newfolder-key.png)
This is a command in the shell terminal to add a new user named "vpsadmin".
7. 将【公钥】`authorized_keys`上传到`.ssh`文件夹内
After executing the command, follow the prompts to operate. Be sure to set a user password (remember that you won't see `******` when setting the password). Afterwards, the system will ask you for some additional user information, which can be ignored by pressing Enter all the way.
![上传authorized_keys](./ch04-img14-winscp-upload-key.png)
8. 在上传时,将【公钥】从 `authorized_keys.txt` 改名为 `authorized_keys`(去掉`.txt`这个后缀名)
![确保没有任何后缀](./ch04-img15-winscp-rename-key.png)
9. 完整流程演示如下:
![WinSCP操作完整演示](./ch04-img16-winscp-full.gif)
3. 在 VPS 端设置 SSH 启用 RSA 密钥验证登录、同时禁用密码验证登录
1. 小小白白 Linux 基础命令:
| 编号 | 命令名称 | 命令说明 |
|:--:|:--:|:--:|
| `cmd-08` | `sudo` | 用`root`权限运行某个命令 |
| `cmd-09` | `chmod` | 修改目标文件/文件夹的权限 |
2. SSH 远程连接到 VPS 上PuTTY
3. 修改 `authorized_keys` 文件权限为 `600` (仅所有者可读可写)
```shell
chmod 600 ~/.ssh/authorized_keys
```
4. 修改 SSH 配置。这个我们已经用了很多次,但现在我们已经从无所不能的`root`变成了普通用户`vpsadmin`,此时的我们是没有权限直接编辑 SSH 配置的。这时候就需要使用`sudo`命令了:
```shell
sudo nano /etc/ssh/sshd_config
```
5. 找到(`ctrl+w`) `PasswordAuthentication` 改成 `no`
6. 找到(`ctrl+w`) `PubkeyAuthentication` 改成 `yes`,然后保存(`ctrl+o`)退出(`ctrl+x`)
7. 重启 SSH 服务。(啰嗦君:别忘了现在需要使用`sudo`来获得权限)
```shell
sudo systemctl restart ssh
```
8. 完整流程如下:
![SSH开启密钥验证并禁用密码验证](./ch04-img17-rsa-login-full.gif)
4. VPS 端已经设置好了公钥,现在要给 PuTTY 指定私钥位置供登录时使用(啰嗦君:别忘了保存 Session
![PuTTY指定私钥位置](./ch04-img18-putty-privatekey-location.png)
5. 至此,【密钥登录】已成功开启、【密码验证】已成功关闭、并且还给 PuTTY 保存了默认的登录用户名和私钥。未来使用 PuTTY 登录时,载入`VPS-SERVER`配置后,点击`Open`就可以一键登录了。
如果你给私钥设置了密码保护,登录时当然还需要输入这个密码才能使用密钥,如下图:
![输入私钥密码](./ch04-img19-putty-privatekey-passphrase.png)
6. 别忘了给`WinSCP`也做对应的密钥设置,否则之后想要传输文件时就无法登录了:
![WinSCP指定私钥位置](./ch04-img20-winscp-privatekey-location.png)
![Creating a new user](./ch04-img03-adduser.png)
::: warning
任何需要借助 SSH 进行登录的软件都需要密钥验证了,软件过多,无法逐一展示,请根据你的需要自行设置好哦
This article takes "vpsadmin" as an example, which means that with the release of this article, this username will also become a significant feature, and may be the first choice for attackers to try. Therefore, just like ports, I strongly recommend that you use another username that you come up with yourself.
:::
3. The complete process demonstration is as follows:
![Creating a new user](./ch04-img04-adduser-full.gif)
4. The second thing we need to do is to install the `sudo` function (which allows ordinary accounts to temporarily obtain the power of `root` at critical moments and unleash their full power to save the world).
```shell
apt update && apt install sudo
```
This is a shell command to update the package list and install the "sudo" package.
You may have noticed that this command actually consists of two commands. The first half, `apt update`, you have seen and used before, is to refresh the software version information on the server. The latter half, `apt install`, is the installation command that will be used this time. The two commands are connected together to instruct the system to refresh the latest available software and then install the latest version of the `sudo` program. `&&` is used to link the two commands together for execution.
5. The third thing we need to do is to add the `vpsadmin` user to the `sudo` list, so that they have the privilege to borrow the power of `root`.
```shell
visudo
```
(Note: `visudo` is a command used in Linux/Unix systems to edit the sudoers file, which specifies which users or groups are allowed to run certain commands with administrative privileges.)
Simply add the following line under `User Privilege Specification`: `vpsadmin ALL=(ALL) NOPASSWD: ALL`.
::: warning
I want to specifically explain the setting of `NOPASSWD`. It means that when the `vpsadmin` user temporarily uses the `root` permission, no additional password needs to be entered. This is contrary to general security recommendations. The reason why I recommend this is that many newcomers insist on using the `root` account because they feel relaxed when using `root` without repeatedly entering passwords. "Choosing the lesser of two evils," I believe that the risk of [directly using the `root` user] is greater than the risk of [not entering a password when using `sudo`], so I made the above suggestion.
If you want to follow the traditional practice and enter a password every time you use `sudo`, then you can change this line to `vpsadmin ALL=(ALL:ALL) ALL`.
6. The complete process demonstration is as follows:
![Creating a new user](./ch04-img05-sudo-full.gif)
## 4.6 Disabling SSH Remote Login for Root User
1. Now that you're gradually getting familiar with Linux, it's time for you to think. What's the first thing we need to do? That's right, it's still to use the `nano` editor to open the `SSH remote login program settings`. What? You can't remember how to do it? Then go back and review the content above and come back! ............ Correct answer:
```shell
nano /etc/ssh/sshd_config
```
This is a command line instruction to open and edit the `sshd_config` file located at `/etc/ssh/` using the `nano` text editor.
2. Find the line `PermitRootLogin Yes`, and change the value after it to `no`. Do you remember how to do it? ............ Correct answer:
- Use `ctrl+w` to enter search mode, then enter `PermitRootLogin` and press enter.
- Delete `yes` and change it to `no`.
3. Save the file and exit. Do you remember how to do it? ............ Correct answer: N/A (The correct answer is not provided in the given text.)
- Save is `ctrl+o`, then press `Enter` to confirm.
- Exit is `ctrl+x`.
4. Restart the ssh service to make the changes take effect. Do you remember...? Never mind, let's just reveal the correct answer:
```shell
systemctl restart ssh
```
(This is a Linux shell command to restart the SSH service.)
5. The complete process is demonstrated as follows:
![Disable SSH remote login for root user](./ch04-img06-ssh-no-root-full.gif)
6. Next time you log in remotely via SSH using PuTTY, you will no longer be able to connect as the `root` user. You will need to use the username `vpsadmin` instead. For convenience, you can set `vpsadmin` as the default login username in PuTTY. (Tip: Don't forget to save the session.)
![PuTTY Setting Default User Name](./ch04-img07-putty-default-user.png)
## 4.7 Login with RSA Key and Disable Password Login
In the third step, we will solve the problem of the password being cracked.
As mentioned earlier, hackers are not foolish enough to crack your password by brute force, but rather they use cheating methods such as "password tables". Unless you use a randomly generated super long password (such as with 1Password, or macOS keychain and other password management tools), it's easy to fall victim to this.
Although a very long random password can improve security, it is usually difficult to remember and manually enter, which can also lead to mistakes. To solve this problem, we can simply abandon the "password verification" method and switch to a more secure "key verification" method.
The so-called "key authentication" refers to generating a pair of related key files (public key and private key), uploading the "public key" to the VPS for backup. Each time you log in, SSH will match the "public key" and "private key". If the verification is correct, the "key pair" will be verified and the authentication will pass. (In other words, you don't need to remember and enter complex passwords, just protect the "private key" file from being leaked.)
::: warning
This article uses `RSA` keys as an example because `RSA` keys have a long history of support in various devices and `SSH` clients and can still provide sufficient security. However, it is not the only choice available.
Other common keys include:
- `DSA` - It has been mathematically proven to be insecure, so never use it.
- `ECDSA` - It has high security with small keys, but its algorithm is suspected to have a backdoor by the NSA. If there is something on your VPS that is worth the attention of the NSA, do not use it.
- `Ed25519` - This is an algorithm that is very similar to `ECDSA`, and it has similar performance advantages. At the same time, all of its documentation is public, so it is generally considered to be free of backdoors.
So, if your device and software both support it, I recommend choosing `Ed25519` keys as a priority.
:::
## 4.8 你的进度
Now let's configure the [Key Authentication]!
到这里为止,你的 VPS 已经完成了【端口】、【用户名】、【密码】这三要素的基本安全保障,虽然远称不上固若金汤,但一般的恶意脚本应该已经无法对你造成伤害了!
1. Run `PuTTYgen` (PuTTY Key Generator). The location is `Start Menu` --> `All Programs` --> `PuTTY (64-bit)` --> `PuTTYgen`.
现在我们终于有了一个安全的系统基础,下一章,我们就可以开始逐步安装配置 Xray 需要的基础设施了!(什么基础设施呢?一个网页,一张证书)
1. Click on `Generate` to start the generation process (move the mouse randomly in the blank area of the interface to add random numbers).
> ⬛⬛⬛⬛⬜⬜⬜⬜ 50%
![Generate Key](./ch04-img08-puttygen-save.png)
::: warning
The example in this image is based on a `2048`-bit `RSA` key. However, in reality, if you want to achieve the same level of security as a `256`-bit key for `EDCSA/Ed25519`, you need to use a `3072`-bit `RSA` key. (i.e., change the number in the bottom right corner to `3072`)
:::
2. You can add a password to your private key to increase security.
3. Click on `Save public key` to save the public key with the file name `id_rsa.pub`.
4. Click on `Save private key` to save the private key with the file name `id_rsa` (PuTTY private keys come with the `.ppk` extension).
5. Most importantly, copy and save all the content inside the red box below by scrolling down, with the file name `authorized_keys`. (If you save it using vscode, it will be saved as a text file with a `.txt` extension, which is fine. We will remove the extension when uploading it to VPS later.)
![Save Key](./ch04-img09-puttygen-save-keys.png)
2. Upload the public key to the "vpsadmin" user on the VPS.
1. This step requires the use of the previously prepared `WinSCP`.
2. Go to the [official website](https://winscp.net/eng/index.php) to download and install. It will prompt you to import PuTTY settings, and of course, you can import them with one click!
![One-click Import Session](./ch04-img10-winscp-import-session.png)
3. If there is no prompt for import or you have already installed it in advance, configure it according to the following figure.
![WinSCP login settings](./ch04-img11-winscp-ui.png)
4. The directory on the left side of WinSCP is the folder and files on your local computer. Please locate the folder where the key is stored.
5. The directory on the right side of WinSCP is the folder and files on the VPS server, which are located in the `/home/vpsadmin/` folder by default. To display hidden files, please click on `X hidden` in the lower right corner.
![Local and remote folders](./ch04-img12-winscp-locations.png)
6. Right-click on the right side (in VPS) and create a new folder named `.ssh` (note the period at the beginning).
![Create a folder to place public key in VPS](./ch04-img13-winscp-newfolder-key.png)
7. Upload the [public key] `authorized_keys` to the `.ssh` folder.
![Upload authorized_keys](./ch04-img14-winscp-upload-key.png)
8. When uploading, rename the [public key] from `authorized_keys.txt` to `authorized_keys` (remove the `.txt` extension).
![Ensure there is no file extension](./ch04-img15-winscp-rename-key.png)
9. The complete process demonstration is as follows:
![Complete demonstration of WinSCP operation](./ch04-img16-winscp-full.gif)
3. Enable RSA key authentication for SSH login and disable password authentication login on the VPS side.
1. Basic Linux Commands:
| Number | Command | Description |
| :------: | :-----: | :-----------------------------------------------: |
| `cmd-08` | `sudo` | Run a command with `root` privileges |
| `cmd-09` | `chmod` | Change the permissions of a target file/directory |
2. SSH remote connection to VPS (PuTTY)
3. Change the permission of the `authorized_keys` file to `600` (only the owner can read and write).
```shell
chmod 600 ~/.ssh/authorized_keys
```
This is a command in shell script to change the permissions of the `authorized_keys` file to `600` for the current user's SSH directory (`~/.ssh/`).
4. Modify SSH configuration. We have used this many times, but now that we have changed from the almighty `root` to the ordinary user `vpsadmin`, we do not have the permission to edit SSH configuration directly. At this time, we need to use the `sudo` command:
```shell
sudo nano /etc/ssh/sshd_config
```
(This is a command in the shell/terminal to open the sshd_config file located in the /etc/ssh/ directory with the sudo privilege using the nano text editor.)
5. Find (`ctrl+w`) `PasswordAuthentication` and change it to `no`.
6. Find (`ctrl+w`) `PubkeyAuthentication`, change it to `yes`, then save (`ctrl+o`) and exit (`ctrl+x`).
7. Restart the SSH service. (Note: Don't forget to use `sudo` to gain permission.)
```shell
sudo systemctl restart ssh
```
This is a command in the shell terminal to restart the SSH service with root privileges using the `systemctl` command.
8. The complete process is as follows:
![Enable SSH key verification and disable password verification](./ch04-img17-rsa-login-full.gif)
4. The public key has been set up on the VPS end. Now we need to specify the private key location for PuTTY to use when logging in. (Reminder: Don't forget to save the session.)
![Specify private key location in PuTTY](./ch04-img18-putty-privatekey-location.png)
5. Now, the [Key-based login] has been successfully enabled, [Password authentication] has been successfully disabled, and the default login username and private key have been saved for PuTTY. In the future, when using PuTTY to log in, simply load the `VPS-SERVER` configuration, click `Open`, and you can log in with just one click.
If you have set a password for your private key, you need to enter this password to use the key when logging in, as shown in the following figure:
![Enter Private Key Password](./ch04-img19-putty-privatekey-passphrase.png)
6. Don't forget to set the corresponding key for `WinSCP`, otherwise you won't be able to log in when you want to transfer files later.
![WinSCP Specify Private Key Location](./ch04-img20-winscp-privatekey-location.png)
::: warning
Any software that requires SSH login needs key verification. As there are too many software, it is impossible to show them one by one. Please set it up according to your needs.
:::
## 4.8 Your Progress
Up to this point, your VPS has completed the basic security measures of [port], [username], and [password]. Although it is not completely impregnable, most malicious scripts should no longer be able to harm you.
Now that we finally have a secure system foundation, in the next chapter, we can start step by step to install and configure the infrastructure that Xray needs! (What infrastructure? A web page, a certificate)
> ⬛⬛⬛⬛⬜⬜⬜⬜ 50%

116
docs/en/document/level-0/ch05-webpage.md
View file

@ -1,59 +1,59 @@
# 【第 5 章】网站建设篇
# Chapter 5: Website Building
## 5.1 为什么要做一个网站?
## 5.1 Why should you create a website?
新人也许会迷惑,为什么科学上网还要建一个网站?我不会编程啊,是不是特别麻烦?
Some newcomers may be confused: why do I need to build a website for securing an open digital environment? I don't know how to code! Isn't it very complicated?
先回答第一个问题,建网站的原因有:
First, let's answer the first question. The reasons for building a website are:
1. 申请合法的 TLS 证书(非常重要)
2. 提供合理的回落,防止主动探测攻击,提高安全性
3. 建设一个伪装站(如博客、私人网盘、多媒体网站、游戏网站等),直接访问时有合理的前台,使流量使用看上去更合理。
1. Apply for a legitimate TLS certificate (very important)
2. Provide reasonable fallback to prevent active probing attacks and improve security
3. Set up a camouflage site (such as a blog, private cloud storage, multimedia site, game site, etc.) with a reasonable frontend when directly accessed, making traffic usage look more legitimate.
再回答第二个问题:
Now let's answer the second question:
1. 本文作为演示,仅仅使用了一个最简单的【单文件 html 页面 + Nginx】来搭建以此完成上面的目标所以【非常简单】
2. 这个网站完全可以不仅仅是伪装,而是真的做大做强,这个复杂性就完全取决于你了
3. 对于“伪装”和“网站运营”这个目标,需要的就是各不相同、秀出真我,需要的同学可以自行搜索学习。这个内容已经完全偏离了科学上网,本文就不深入解析了。
1. As a demonstration, this article uses only the simplest "single-file HTML page + Nginx" setup to achieve the above objectives, so it is **very easy**.
2. This website can not only be used for camouflage but also for real development and growth. The complexity depends entirely on you.
3. For the goals of "camouflage" and "website operation", uniqueness and personalization are needed. Students who need this can search and learn by themselves. This content has completely deviated from scientific online access, so this article will not go into depth.
## 5.2 登录 VPS、安装运行 Nginx
## 5.2 Log in to VPS, install and run Nginx
1. 这里用到的,都是之前已经详解过的命令,所以就不重复讲解了。看不懂的同学可以看看前面的章节哦。
1. Here we use commands that have been explained in detail before, so they won't be repeated. If you don't understand, please refer to the previous chapters.
```shell
sudo apt update && sudo apt install nginx
```
2. 完成后Nginx 已经自动运行。此时打开 Windows 上的浏览器并输入 `http://100.200.300.400:80`,若看到下图的界面就说明 Nginx 已经正常在运行了。
2. After completion, Nginx will automatically run. Open the browser on Windows and enter `http://100.200.300.400:80`. If you see the interface shown below, it means Nginx is running normally.
![Nginx默认界面](./ch05-img01-nginx-default-running.png)
![Nginx default interface](./ch05-img01-nginx-default-running.png)
## 5.3 创建一个最简单的网页
## 5.3 Create the simplest web page
1. 小小白白 Linux 基础命令:
| 编号 | 命令名称 | 命令说明 |
|:--:|:--:|:--:|
| `cmd-10` | `mkdir` | 新建文件夹 |
| `cmd-11` | `systemctl reload` | 重新加载某个服务 |
1. Basic Linux commands for beginners:
| No. | Command Name | Command Description |
| :------: | :----------------: | :-----------------------: |
| `cmd-10` | `mkdir` | Create a new folder |
| `cmd-11` | `systemctl reload` | Reload a specific service |
2. 小小白白 Linux 基础配置文件:
| 编号 | 配置文件位置 | 文件说明 |
|:--:|:--:|:--:|
| `conf-02` | `/etc/nginx/nginx.conf` | Nginx 程序设置 |
2. Basic Linux configuration files for beginners:
| No. | Configuration File Location | File Description |
| :-------: | :-------------------------: | :--------------------: |
| `conf-02` | `/etc/nginx/nginx.conf` | Nginx program settings |
3. 创建一个网站专用的文件夹`/home/vpsadmin/www/webpage/`并建立网页文件`index.html`
3. Create a dedicated folder `/home/vpsadmin/www/webpage/` for the website and create the web page file `index.html`
```shell
mkdir -p ~/www/webpage/ && nano ~/www/webpage/index.html
```
::: warning
如果你用的不是 `vpsadmin` 这个用户名,请务必理解这条命令中 `“~”` 符号的意义(这关系到【第 5 步】你要写的内容):
If you are not using the username `vpsadmin`, please be sure to understand the meaning of the "~" symbol in this command (this is related to Step 5 content):
- 如果是 【非 `root` 用户】,`“~”` 就等价于 `/home/用户名`
- 如果是 【 `root` 用户】,`“~”` 就等价于 `/root`
- If it is a **non-root user**, "~" is equivalent to `/home/username`
- If it is a **root user**, "~" is equivalent to `/root`
:::
4. 把下面的内容完整的复制进去,然后保存(`ctrl+o`)退出(`ctrl+x`)
4. Copy the entire content below, save (`ctrl+o`) and exit (`ctrl+x`).
```html
<html lang="">
@ -89,74 +89,74 @@
site.
</p>
<!-- And add a copyright notice.-->
<p>&#169; Wiley Publishing, 2011</p>
<p>© Wiley Publishing, 2011</p>
</body>
</html>
```
5. 修改 `nginx.conf` 并重启 `Nginx` 服务,将`80`端口的 http 访问定位到刚才建立的 `html` 页面上
5. Modify `nginx.conf` and restart the `Nginx` service, directing the http access on port 80 to the newly created `html` page.
1. 修改 `nginx.conf`
1. Modify `nginx.conf`.
```shell
sudo nano /etc/nginx/nginx.conf
```
2. 将下面一段,添加在 `http{}` 内,然后保存(`ctrl+o`)退出(`ctrl+x`)。(记得将域名替换为之前准备好的、包含二级域名的真实域名)
2. Add the following content inside`http{}`, then save (`ctrl+o`) and exit (`ctrl+x`). (Remember to replace the domain name with the real domain name you prepared earlier, including the subdomain)
```
server {
listen 80;
server_name 二级域名.你的域名.com;
server_name subdomain.your_domain.com;
root /home/vpsadmin/www/webpage;
index index.html;
}
```
::: warning 特别注意!
如我在【第 3 步】中的提示所说,请务必确保 `/home/vpsadmin/www/webpage` 改成你的实际文件路径。
::: warning Be extra careful!
As mentioned in Step 3 of section 5.3, make sure to change `/home/vpsadmin/www/webpage` to your actual file path.
:::
3. `nginx` 重新载入配置使其生效
3. Make `nginx` reload the configuration to take effect.
```shell
sudo systemctl reload nginx
```
4. 完整的设置流程如下:
4. The complete setup process is as follows:
![网页设置演示](./ch05-img02-nginx-conf-full.gif)
![Web page settings demonstration](./ch05-img02-nginx-conf-full.gif)
5. 此时如果你访问 `http://二级域名.你的域名.com`,你看到这样的页面则说明成功:
5. Now, if you visit `http://subdomain.your_domain.com`, you should see this page, indicating success:
![http网页成功](./ch05-img03-nginx-http-running.png)
![http web page success](./ch05-img03-nginx-http-running.png)
## 5.4 常见错误的说明
## 5.4 Common error explanations
首先,如果你一路按照文章的说明来操作,并且足够细心,那肯定不会出错。所以,我并不打算修改本文的写法。
First of all, if you follow the instructions in the article step by step and are careful enough, you will definitely not encounter any errors. So, I don't intend to change how this article is written.
那为什么依然有很多同学卡在了这一步,网页怎么也打不开呢?基本上就是两个字:**粗心**。因为这里配置可能出现的问题只有两种,原因也只有两个。
Then why do some students still get stuck at this step, and the web page just won't open? There are basically two words: **carelessness**. Because there are only two possible issues with the configuration here, and there are only two reasons for them.
一、两种问题:
I. Two types of issues:
- `nginx.conf` 里面的 `/home/vpsadmin/www/webpage` 这一条,与你的实际文件路径不符,`nginx` 找不到文件
- 路径正确,但 `nginx` 无权读取
- In `nginx.conf`, the `/home/vpsadmin/www/webpage` does not match the actual file path; `nginx` cannot find the file
- The path is correct, but `nginx` doesn't have permission to access it
二、两个原因:
II. Two reasons:
- 使用了【非 `root` 用户】,但仍然直接拷贝文中的命令不加修改。(这基本就等于抄答案时把同学的名字一起抄过去了)
- 坚持使用【 `root` 用户】
- Use a **non-root user** but still directly copy the commands in the text without modification. (This is basically like copying the name of another student when copying answers)
- Insist on using a **root user**
碰到错误的同学就回过头仔细看一下【5.3】中【第 3 步】和【第 5-2 步】的说明吧。
If you encounter any errors, please carefully review the explanations in Steps 3 and 5-2 of Section 5.3.
::: warning
本文前期已经用了大量篇幅说明了使用【非 `root` 用户】对安全的重要性,全文也是基于此而写。所以,因使用【 `root` 用户】而导致的问题并不在本文的设计范围里。
In the early stages of this article, a lot of space has been devoted to explaining the importance of using a **non-root user** for security, and the entire article is written based on this premise. So, issues caused by using a **root user** are not within the scope of this article.
但我相信,坚持使用【 `root` 用户】的同学应该是有主见、动手能力强、或者有一定 Linux 基础的同学。问题的症结我已经全部说明了,我相信你一定可以自行解决。
:::
## 5.5 你的进度
But I believe that students who persist in using the `root` user should have their own opinions, strong hands-on ability, or have a certain foundation in Linux. I have already explained the crux of the problem, and I believe you can solve it on your own.
至此Xray 的第一个基础设施【网页】已经就位,我们马上就进入第二个基础设施【证书】吧!
## 5.5 Your Progress
> ⬛⬛⬛⬛⬛⬜⬜⬜ 62.5%
So far, Xray's first infrastructure [webpage] has been established. Let's now move on to the second infrastructure [certificate]!
> ⬛⬛⬛⬛⬛⬜⬜⬜ 62.5%

363
docs/en/document/level-0/ch06-certificates.md
View file

@ -1,212 +1,219 @@
# 【第 6 章】证书管理篇
# [Chapter 6] Certificate Management
## 6.1 申请 TLS 证书
## 6.1 Applying for a TLS Certificate
接下来我们要做的,是为我们的域名申请一个真实的 TLS 证书,使网站具备标准 TLS 加密的能力及 HTTPS 访问的能力。这就是 Xray 等现阶段安全代理工具确保流量充分加密最重要的工具。
Next, we need to apply for a real TLS certificate for our domain name, so that the website has the ability to encrypt with standard TLS and the ability to access via HTTPS. This is the most important tool for Xray and other current security proxy tools to ensure fully encrypted traffic.
::: warning
请不要轻易使用自签证书。它并没有让操作简单太多,但增加了无谓的风险(如中间人攻击)。
Please do not use self-signed certificates lightly. It does not make the operation much simpler, but adds unnecessary risks (such as man-in-the-middle attacks).
:::
这里我会使用一个叫做 [`acme.sh`](https://github.com/acmesh-official/acme.sh) 的证书管理工具,它简单、轻量、高效,并可完成证书自动更新。
Here, I will use a certificate management tool called [`acme.sh`](https://github.com/acmesh-official/acme.sh), which is simple, lightweight, efficient, and capable of automatically updating certificates.
另外,我相信,现在你已经逐渐熟悉了 Linux 的基础操作,所以已经多次出现的命令从本章开始不再重复截图、只做简单的描述。如果实在想不起来怎么用的话,就稍微复习一下前面的章节吧。
In addition, I believe that you have gradually become familiar with the basic operations of Linux. Therefore, from this chapter on, commands that have appeared multiple times will no longer have screenshots and will only be briefly described. If you really can't remember how to use them, just review the previous chapters.
## 6.2 安装 `acme.sh`
## 6.2 Install `acme.sh`
1. 小小白白 Linux 基础命令:
| 编号 | 命令名称 | 命令说明 |
|:--:|:--:|:--:|
| `cmd-12` | `wget` | 访问(或下载)某个网页文件 |
| `cmd-13` | `acme.sh` | acme.sh 证书管理相关的命令 |
1. Basic Linux commands for beginners:
| Number | Command | Description |
| :------: | :-------: | :------------------------------------------------: |
| `cmd-12` | `wget` | Retrieve (or download) a webpage file |
| `cmd-13` | `acme.sh` | Commands related to acme.sh certificate management |
2. 运行安装脚本
2. Run the installation script.
```shell
wget -O - https://get.acme.sh | sh
```
```shell
wget -O - https://get.acme.sh | sh
```
3. `acme.sh` 命令生效
3. Make the `acme.sh` command effective.
```shell
. .bashrc
```
```shell
. .bashrc
```
4. 开启 `acme.sh` 的自动升级
(Note: This command is used to source (load) the `.bashrc` file in the shell environment.)
```shell
acme.sh --upgrade --auto-upgrade
```
4. Enable `acme.sh` automatic upgrade.
5. 到这一步的完整流程如下图:
```shell
acme.sh --upgrade --auto-upgrade
```
![acme.sh安装演示](./ch06-img01-acme-install.gif)
5. The complete process up to this point is shown in the following diagram:
## 6.3 测试证书申请
![acme.sh installation demo](./ch06-img01-acme-install.gif)
在正式申请证书之前,我们先用测试命令(`--issue --test`)来验证是否可以成功申请,这样可以避免在本地配置有误时,反复申请证书失败,超过 Let's Encrypt 的频率上限(比如,每小时、每个域名、每个用户失败最多 5 次),导致后面的步骤无法进行。
## 6.3 Testing Certificate Application
1. 测试证书申请的命令如下(本文均以 `ECC` 证书为例,因为时至今日,实在没什么理由不用它):
Before officially applying for the certificate, we use the testing command (`--issue --test`) to verify if the application can be successfully submitted. This can avoid repeated failures in applying for a certificate due to incorrect local configuration, exceeding the frequency limit of Let's Encrypt (such as a maximum of 5 failures per hour, per domain, or per user), which may prevent the subsequent steps from being carried out.
```shell
acme.sh --issue --server letsencrypt --test -d 二级域名.你的域名.com -w /home/vpsadmin/www/webpage --keylength ec-256
```
1. The command to apply for a test certificate is as follows (this article uses ECC certificate as an example, because there is really no reason not to use it nowadays):
::: warning 说明
`ECC`证书的主要优势在于它的 Keysize 更小,意味着同等大小下安全性的提升和加密解密速度的加快。如 ECC-256bit 的强度大约相当于 RSA-3072bit何乐而不为呢当然有人说 ECC 证书握手会明显更快,这我觉得就有些夸张了,因为 RSA 握手也没有太慢,就算有差别应该也是毫秒级,很难直接感知。
```shell
acme.sh --issue --server letsencrypt --test -d subdomain.yourdomain.com -w /home/vpsadmin/www/webpage --keylength ec-256
```
另外,如果有些网站确实需要兼容某些古老设备的,那也还是请按需选择`RSA`证书。
(Note: This is a command in shell script for obtaining SSL certificate from Let's Encrypt CA using ACME protocol. It specifies the test server, the subdomain for which the certificate is requested, the webroot directory of the subdomain, and the key length to use for the certificate.)
::: warning Explanation
The main advantage of the `ECC` certificate is that its `Keysize` is smaller, which means that security is improved and encryption and decryption speed is faster for the same size. Why not choose ECC-256bit, which is approximately equivalent to RSA-3072bit in strength? Of course, some people say that the ECC certificate handshake is significantly faster, which I think is a bit exaggerated, because RSA handshake is not too slow either. Even if there is a difference, it should be in milliseconds and difficult to perceive directly.
In addition, if some websites do need to be compatible with certain old devices, please still choose RSA certificates according to your needs.
2. You should eventually see a prompt similar to this:
```log
[Wed 30 Dec 2022 04:25:12 AM EST] Using ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Wed 30 Dec 2022 04:25:13 AM EST] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
[Wed 30 Dec 2022 04:25:13 AM EST] Create account key ok.
[Wed 30 Dec 2022 04:25:13 AM EST] Registering account: https://acme-staging-v02.api.letsencrypt.org/directory
[Wed 30 Dec 2022 04:25:13 AM EST] Registered
[Wed 30 Dec 2022 04:25:13 AM EST] ACCOUNT_THUMBPRINT='CU6qmPKuRqhyTAIrF4swosR375194z_1ddUlWef8xDc'
[Wed 30 Dec 2022 04:25:13 AM EST] Creating domain key
[Wed 30 Dec 2022 04:25:13 AM EST] The domain key is here: /home/vpsadmin/.acme.sh/二级域名.你的域名.com_ecc/二级域名.你的域名.com.key
[Wed 30 Dec 2022 04:25:13 AM EST] Single domain='二级域名.你的域名.com'
[Wed 30 Dec 2022 04:25:13 AM EST] Getting domain auth token for each domain
[Wed 30 Dec 2022 04:25:14 AM EST] Getting webroot for domain='二级域名.你的域名.com'
[Wed 30 Dec 2022 04:25:14 AM EST] Verifying: 二级域名.你的域名.com
[Wed 30 Dec 2022 04:25:23 AM EST] Pending
[Wed 30 Dec 2022 04:25:25 AM EST] Success
[Wed 30 Dec 2022 04:25:25 AM EST] Verify finished, start to sign.
[Wed 30 Dec 2022 04:25:25 AM EST] Lets finalize the order.
[Wed 30 Dec 2022 04:25:25 AM EST] Le_OrderFinalize='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/490205995/7730242871'
[Wed 30 Dec 2022 04:25:25 AM EST] Downloading cert.
[Wed 30 Dec 2022 04:25:25 AM EST] Le_LinkCert='https://acme-staging-v02.api.letsencrypt.org/acme/cert/xujss5xt8i38waubafz2xujss5xt8i38waubz2'
[Wed 30 Dec 2022 15:21:52 AM EST] Cert success.
--BEGIN CERTIFICAT--
sxlYqPvWreKgD5b8JyOQX0Yg2MLoRUoDyqVkd31PthIiwzdckoh5eD3JU7ysYBtN
cTFK4LGOfjqi8Ks87EVJdK9IaSAu7ZC6h5to0eqpJ5PLhaM3e6yJBbHmYA8w1Smp
wAb3tdoHZ9ttUIm9CrSzvDBt6BBT6GqYdDamMyCYBLooMyDEM4CUFsOzCRrEqqvC
2mTTEmhvpojo5rhdTSJxibozyNWTGwoTj0v9pTUeQcGqLIzqi4DowjBHD5guwRid
SjAFnm6JT2xUQgWFm58A1gv1OhbH1TRPUUmtE1nFEN7YiSjI4xgxqAXT3CLD2EUb
wXlUrO6c75zSsQP4bRMzgOjJUqHtSb6IEqELzt4M7KzL5iCOruCChCo2DZxUwvVX
tOoaAyQJzCbTqE6aUqwiKi3gVyoxvDP9mI5JdRYzsDL6GVud7EHPnYeMl9ubLZAK
0vg84mbMP3f6mYM4KRa1cqiyOIcQPT4AzGFYVv4sm049bZQg7sd0Bz9CaFvE7yDA
1y17XlgCDnsjxl66bqI1vkENN9XT5xeFHONqc18b5fZEKSIvdX7iWPFWp1PyMPpG
0pMCP1EymZNFxIMJLgbWqExwLWfPc5Ib3PjBaIqhXPnw6sT2MQSxXwDupq1UJVhV
7E3hQRVlwI4CXi6WLHJMNvNRyyK87gCrLH1bKYsPeRVaz77poWBq49zwBCts6hPY
IeF4ltGXyANNIOPEi8vy138fRU4LYh81d8FjOtFfJZogMjwhfNvapqxPMsioPlmX
TnZu0n7setrVNUEfTMHWqPpDgk5MPrWLA4LapqaDfEX4pwnQJLMwMi6s94z165c0
iMRSKA1yU5zqv8aNsDfPoY4OkSPWs4MaXgRRSLBsUfZ15DwQXPk76kegHIyxWvwF
tYw9HKR5QCMK66fa0z4aJoFVFLK0IIOGEZOanRFUCnkLUDd3QZ3YU8lEcrj7Uxos
haiRNICyC6UfsCJ94a8vcNyMosPv3xBLMp19WXgiFYqEFQkntkv1FLRI35fjeJmg
0fmD9VG9bkzGPHihJgQLRlCHasGf6XrdfkSsODAyCUHUHJ0RzqF4YEZMcxDxzuQ2
YO7bFwj7S3mUdVPZ6MPasjxdyBjJgEBMch2uy4AhmudXfEBQBye8W6ZI4ztZjLVV
FmP4SIuaNUmMe20TjR8b9NVC96AhxOanWT3mRROsdokpKQGTJvl27EHH8KuAbUOc
G6KtPy4wslNZNXWcBy9n63RcWak12r7kAIFn38tZxmlw2WUKoRSMAH64GcDTjRQd
Am65hBHzvGrj93wEuVNIebvNIsJOlng3HFjpIxVqKGMCIfWIKGDE3YzK3p4LbGZ6
NZFQWYJLNVf2M9CCJfbEImPYgvctrxl39H6KVYPCw1SAdaj9NneUqmREOQkKoEB0
x6PmNirbMscHhQPSC0JQaqUgaQFgba1ALmzRYAnYhNb0twkTxWbY7DBkAarxqMIp
yiLKcBFc5H7dgJCImo7us7aJeftC44uWkPIjw9AKH=
--END CERTIFICAT--
[Wed 30 Dec 2022 15:21:52 AM
3. Note: The certificate applied for here is a test certificate, which cannot be used directly. It is only used to prove that your domain and configuration are correct. If you observe carefully, you will find that the domain that issues the certificate to you is `https://acme-staging-v02.api.letsencrypt.org`, and this `staging` can be understood as a "test server"!
4. If this step goes wrong, you can run the following command to check the detailed application process and specific errors. If you don't understand, you can hide sensitive information and ask in the Xray group.
```shell
acme.sh --issue --server letsencrypt --test -d subdomain.yourdomain.com -w /home/vpsadmin/www/webpage --keylength ec-256 --debug
```
(Note: This command is written in Chinese characters, therefore I have translated it into English. The command is used to issue SSL/TLS certificates using acme.sh client with Let's Encrypt CA in test mode for a subdomain of your domain with the specified webroot path, key length and in debug mode.)
Hmm, that's right. Just added a `--debug` parameter at the end of the command.
5. Once this step is confirmed to be successful, you can apply for the formal certificate. (The test certificate does not need to be deleted, as it will be automatically replaced by the formal certificate.)
## 6.4 Application for Official Certification
1. The command for applying for an official certificate is as follows (i.e., remove the `--test` parameter and add the `--force` parameter at the end):
```shell
acme.sh --set-default-ca --server letsencrypt
```
This is a command in the shell language. It sets the default Certificate Authority (CA) to Let's Encrypt by using the `acme.sh` script.
```shell
acme.sh --issue -d subdomain.yourdomain.com -w /home/vpsadmin/www/webpage --keylength ec-256 --force
```
(Note: This is a command written in shell script that requests a SSL certificate from ACME server using the ACME client "acme.sh". It specifies the subdomain of the domain name, the web root directory of the website, the key length, and forces the re-issuance of the certificate.)
::: warning Explanation
The meaning of the `--force` parameter is to manually (forcefully) update the certificate before the existing certificate expires. Although the certificate we applied for from the "test server" in the previous step cannot be used directly, it has not expired yet, so this parameter is needed.
:::
2. 你最终应该看到类似这样的提示:
2. You should eventually see a prompt that looks similar to the one above.
```log
[Wed 30 Dec 2022 04:25:12 AM EST] Using ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Wed 30 Dec 2022 04:25:13 AM EST] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
[Wed 30 Dec 2022 04:25:13 AM EST] Create account key ok.
[Wed 30 Dec 2022 04:25:13 AM EST] Registering account: https://acme-staging-v02.api.letsencrypt.org/directory
[Wed 30 Dec 2022 04:25:13 AM EST] Registered
[Wed 30 Dec 2022 04:25:13 AM EST] ACCOUNT_THUMBPRINT='CU6qmPKuRqhyTAIrF4swosR375194z_1ddUlWef8xDc'
[Wed 30 Dec 2022 04:25:13 AM EST] Creating domain key
[Wed 30 Dec 2022 04:25:13 AM EST] The domain key is here: /home/vpsadmin/.acme.sh/二级域名.你的域名.com_ecc/二级域名.你的域名.com.key
[Wed 30 Dec 2022 04:25:13 AM EST] Single domain='二级域名.你的域名.com'
[Wed 30 Dec 2022 04:25:13 AM EST] Getting domain auth token for each domain
[Wed 30 Dec 2022 04:25:14 AM EST] Getting webroot for domain='二级域名.你的域名.com'
[Wed 30 Dec 2022 04:25:14 AM EST] Verifying: 二级域名.你的域名.com
[Wed 30 Dec 2022 04:25:23 AM EST] Pending
[Wed 30 Dec 2022 04:25:25 AM EST] Success
[Wed 30 Dec 2022 04:25:25 AM EST] Verify finished, start to sign.
[Wed 30 Dec 2022 04:25:25 AM EST] Lets finalize the order.
[Wed 30 Dec 2022 04:25:25 AM EST] Le_OrderFinalize='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/490205995/7730242871'
[Wed 30 Dec 2022 04:25:25 AM EST] Downloading cert.
[Wed 30 Dec 2022 04:25:25 AM EST] Le_LinkCert='https://acme-staging-v02.api.letsencrypt.org/acme/cert/xujss5xt8i38waubafz2xujss5xt8i38waubz2'
[Wed 30 Dec 2022 15:21:52 AM EST] Cert success.
--BEGIN CERTIFICAT--
sxlYqPvWreKgD5b8JyOQX0Yg2MLoRUoDyqVkd31PthIiwzdckoh5eD3JU7ysYBtN
cTFK4LGOfjqi8Ks87EVJdK9IaSAu7ZC6h5to0eqpJ5PLhaM3e6yJBbHmYA8w1Smp
wAb3tdoHZ9ttUIm9CrSzvDBt6BBT6GqYdDamMyCYBLooMyDEM4CUFsOzCRrEqqvC
2mTTEmhvpojo5rhdTSJxibozyNWTGwoTj0v9pTUeQcGqLIzqi4DowjBHD5guwRid
SjAFnm6JT2xUQgWFm58A1gv1OhbH1TRPUUmtE1nFEN7YiSjI4xgxqAXT3CLD2EUb
wXlUrO6c75zSsQP4bRMzgOjJUqHtSb6IEqELzt4M7KzL5iCOruCChCo2DZxUwvVX
tOoaAyQJzCbTqE6aUqwiKi3gVyoxvDP9mI5JdRYzsDL6GVud7EHPnYeMl9ubLZAK
0vg84mbMP3f6mYM4KRa1cqiyOIcQPT4AzGFYVv4sm049bZQg7sd0Bz9CaFvE7yDA
1y17XlgCDnsjxl66bqI1vkENN9XT5xeFHONqc18b5fZEKSIvdX7iWPFWp1PyMPpG
0pMCP1EymZNFxIMJLgbWqExwLWfPc5Ib3PjBaIqhXPnw6sT2MQSxXwDupq1UJVhV
7E3hQRVlwI4CXi6WLHJMNvNRyyK87gCrLH1bKYsPeRVaz77poWBq49zwBCts6hPY
IeF4ltGXyANNIOPEi8vy138fRU4LYh81d8FjOtFfJZogMjwhfNvapqxPMsioPlmX
TnZu0n7setrVNUEfTMHWqPpDgk5MPrWLA4LapqaDfEX4pwnQJLMwMi6s94z165c0
iMRSKA1yU5zqv8aNsDfPoY4OkSPWs4MaXgRRSLBsUfZ15DwQXPk76kegHIyxWvwF
tYw9HKR5QCMK66fa0z4aJoFVFLK0IIOGEZOanRFUCnkLUDd3QZ3YU8lEcrj7Uxos
haiRNICyC6UfsCJ94a8vcNyMosPv3xBLMp19WXgiFYqEFQkntkv1FLRI35fjeJmg
0fmD9VG9bkzGPHihJgQLRlCHasGf6XrdfkSsODAyCUHUHJ0RzqF4YEZMcxDxzuQ2
YO7bFwj7S3mUdVPZ6MPasjxdyBjJgEBMch2uy4AhmudXfEBQBye8W6ZI4ztZjLVV
FmP4SIuaNUmMe20TjR8b9NVC96AhxOanWT3mRROsdokpKQGTJvl27EHH8KuAbUOc
G6KtPy4wslNZNXWcBy9n63RcWak12r7kAIFn38tZxmlw2WUKoRSMAH64GcDTjRQd
Am65hBHzvGrj93wEuVNIebvNIsJOlng3HFjpIxVqKGMCIfWIKGDE3YzK3p4LbGZ6
NZFQWYJLNVf2M9CCJfbEImPYgvctrxl39H6KVYPCw1SAdaj9NneUqmREOQkKoEB0
x6PmNirbMscHhQPSC0JQaqUgaQFgba1ALmzRYAnYhNb0twkTxWbY7DBkAarxqMIp
yiLKcBFc5H7dgJCImo7us7aJeftC44uWkPIjw9AKH=
--END CERTIFICAT--
[Wed 30 Dec 2022 15:21:52 AM EST] Your cert is in /home/vpsadmin/.acme.sh/二级域名.你的域名.com_ecc/二级域名.你的域名.com.cer
[Wed 30 Dec 2022 15:21:52 AM EST] Your cert key is in /home/vpsadmin/.acme.sh/二级域名.你的域名.com_ecc/二级域名.你的域名.com.key
[Wed 30 Dec 2022 15:21:52 AM EST] The intermediate CA cert is in /home/vpsadmin/.acme.sh/二级域名.你的域名.com_ecc/ca.cer
[Wed 30 Dec 2022 15:21:52 AM EST] And the full chain certs is there: /home/vpsadmin/.acme.sh/二级域名.你的域名.com_ecc/fullchain.cer
```
```log
vpsadmin@vps-server:~$ acme.sh --issue -d subdomain.yourdomain.com -w /home/vpsadmin/www/webpage --keylength ec-256
[Wed 30 Dec 2022 15:22:51 AM EST] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Wed 30 Dec 2022 15:22:51 AM EST] Creating domain key
[Wed 30 Dec 2022 15:22:51 AM EST] The domain key is here: /home/vpsadmin/.acme.sh/subdomain.yourdomain.com_ecc/subdomain.yourdomain.com.key
[Wed 30 Dec 2022 15:22:51 AM EST] Single domain='subdomain.yourdomain.com'
[Wed 30 Dec 2022 15:22:51 AM EST] Getting domain auth token for each domain
[Wed 30 Dec 2022 15:22:51 AM EST] Getting webroot for domain='subdomain.yourdomain.com'
[Wed 30 Dec 2022 15:22:51 AM EST] Verifying: subdomain.yourdomain.com
[Wed 30 Dec 2022 15:22:51 AM EST] Pending
[Wed 30 Dec 2022 15:22:51 AM EST] Success
[Wed 30 Dec 2022 15:22:51 AM EST] Verify finished, start to sign.
[Wed 30 Dec 2022 15:22:51 AM EST] Lets finalize the order.
[Wed 30 Dec 2022 15:22:51 AM EST] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/490205996/7730242872'
[Wed 30 Dec 2022 15:22:51 AM EST] Downloading cert.
[Wed 30 Dec 2022 15:22:51 AM EST] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/vsxvk0oldnuobe51ayxz4dms62sk2dwmw9zhuw'
[Wed 30 Dec 2022 15:22:51 AM EST] Cert success.
--BEGIN CERTIFICAT--
sxlYqPvWreKgD5b8JyOQX0Yg2MLoRUoDyqVkd31PthIiwzdckoh5eD3JU7ysYBtN
cTFK4LGOfjqi8Ks87EVJdK9IaSAu7ZC6h5to0eqpJ5PLhaM3e6yJBbHmYA8w1Smp
wAb3tdoHZ9ttUIm9CrSzvDBt6BBT6GqYdDamMyCYBLooMyDEM4CUFsOzCRrEqqvC
2mTTEmhvpojo5rhdTSJxibozyNWTGwoTj0v9pTUeQcGqLIzqi4DowjBHD5guwRid
SjAFnm6JT2xUQgWFm58A1gv1OhbH1TRPUUmtE1nFEN7YiSjI4xgxqAXT3CLD2EUb
wXlUrO6c75zSsQP4bRMzgOjJUqHtSb6IEqELzt4M7KzL5iCOruCChCo2DZxUwvVX
tOoaAyQJzCbTqE6aUqwiKi3gVyoxvDP9mI5JdRYzsDL6GVud7EHPnYeMl9ubLZAK
0vg84mbMP3f6mYM4KRa1cqiyOIcQPT4AzGFYVv4sm049bZQg7sd0Bz9CaFvE7yDA
1y17XlgCDnsjxl66bqI1vkENN9XT5xeFHONqc18b5fZEKSIvdX7iWPFWp1PyMPpG
0pMCP1EymZNFxIMJLgbWqExwLWfPc5Ib3PjBaIqhXPnw6sT2MQSxXwDupq1UJVhV
7E3hQRVlwI4CXi6WLHJMNvNRyyK87gCrLH1bKYsPeRVaz77poWBq49zwBCts6hPY
IeF4ltGXyANNIOPEi8vy138fRU4LYh81d8FjOtFfJZogMjwhfNvapqxPMsioPlmX
TnZu0n7setrVNUEfTMHWqPpDgk5MPrWLA4LapqaDfEX4pwnQJLMwMi6s94z165c0
iMRSKA1yU5zqv8aNsDfPoY4OkSPWs4MaXgRRSLBsUfZ15DwQXPk76kegHIyxWvwF
tYw9HKR5QCMK66fa0z4aJoFVFLK0IIOGEZOanRFUCnkLUDd3QZ3YU8lEcrj7Uxos
haiRNICyC6UfsCJ94a8vcNyMosPv3xBLMp19WXgiFYqEFQkntkv1FLRI35fjeJmg
0fmD9VG9bkzGPHihJgQLRlCHasGf6XrdfkSsODAyCUHUHJ0RzqF4YEZMcxDxzuQ2
YO7bFwj7S3mUdVPZ6MPasjxdyBjJgEBMch2uy4AhmudXfEBQBye8W6ZI4ztZjLVV
FmP4SIuaNUmMe20TjR8b9NVC96AhxOanWT3mRROsdokpKQGTJvl27EHH8KuAbUOc
G6KtPy4wslNZNXWcBy9n63RcWak12r7kAIFn38tZxmlw2WUKoRSMAH64GcDTjRQd
Am65hBHzvGrj93wEuVNIebvNIsJOlng3HFjpIxVqKGMCIfWIKGDE3YzK3p4LbGZ6
NZFQWYJLNVf2M9CCJfbEImPYgvctrxl39H6KVYPCw1SAdaj9NneUqmREOQkKoEB0
x6PmNirbMscHhQPSC0JQaqUgaQFgba1ALmzRYAnYhNb0twkTxWbY7DBkAarxqMIp
yiLKcBFc5H7dgJCImo7us7aJeftC44uWkPM=
--END CERTIFICAT--
[Wed 30 Dec 2022 15:22:52 AM EST] Your cert is in /home/vpsadmin/.acme.sh/subdomain.yourdomain.com_ecc/subdomain.yourdomain.com.cer
[Wed 30 Dec 2022 15:22:52 AM EST] Your cert key is in /home/vpsadmin/.acme.sh/subdomain.yourdomain.com_ecc/subdomain.yourdomain.com.key
[Wed 30 Dec 2022 15:22:52 AM EST] The intermediate CA cert is in /home/vpsadmin/.acme.sh/subdomain.yourdomain.com_ecc/ca.cer
[Wed 30 Dec 2022 15:22:52 AM EST] And the full chain certs is there: /home/vpsadmin/.acme.sh/subdomain.yourdomain.com_ecc/fullchain.cer
```
3. 注意:这里申请的是测试证书,没办法直接用的,只是用来证明你的域名、配置全都正确。仔细观察,你会发现给你发证书的域名是 `https://acme-staging-v02.api.letsencrypt.org`,这个 `staging` 你就理解成【测试服】吧!
3. If you observe carefully, you will find that the domain name that issues the certificate to you this time is `https://acme-v02.api.letsencrypt.org`, which lacks the word `staging`. Therefore, this is the [Production Environment]!
4. 如果这一步出错的话,你可以运行下面的命令,来查看详细的申请过程和具体的错误。(看不懂就隐藏掉敏感信息后,去 Xray 群里问吧)
## 6.5 Certificate Installation
```shell
acme.sh --issue --server letsencrypt --test -d 二级域名.你的域名.com -w /home/vpsadmin/www/webpage --keylength ec-256 --debug
```
1. After completing the certificate application, it needs to be installed to a specified location and referenced in the configuration file to take effect:
嗯没错,就是在命令的最后加了一个 `--debug` 参数
```shell
vpsadmin@vps-server:~$ acme.sh --installcert -d subdomain.yourdomain.com --cert-file /path/to/install/cert.crt --key-file /path/to/install/cert.key --fullchain-file /path/to/install/fullchain.crt --ecc
[Mon 14 Feb 2022 03:00:25 PM CST] Installing cert to: /etc/xray/cert/cert.crt
[Mon 14 Feb 2022 03:00:25 PM CST] Installing key to: /etc/xray/cert/cert.key
[Mon 14 Feb 2022 03:00:25 PM CST] Installing full chain to: /etc/xray/cert/fullchain.crt
```
5. 这一步确定成功之后,就可以申请正式的证书了。(测试证书不需要删除,它会自动被正式证书覆盖)
(Note: This is a shell command for installing a SSL certificate using acme.sh. The command is specifying the domain, file paths for the certificate, private key, and full chain, as well as indicating that an ECC certificate should be used.)
## 6.4 正式证书申请
## 6.6 Your Progress
1. 申请正式证书的命令如下(即删掉 `--test` 参数,并在最后加入 `--force`参数):
At this point, the two basic infrastructures required by Xray are finally in place! Xray, which has been eagerly awaited, is about to be revealed, and we are finally about to enter the most exciting chapter!
```shell
acme.sh --set-default-ca --server letsencrypt
```
```shell
acme.sh --issue -d 二级域名.你的域名.com -w /home/vpsadmin/www/webpage --keylength ec-256 --force
```
::: warning 说明
`--force` 参数的意思就是,在现有证书到期前,手动(强行)更新证书。上一步我们从“测试服”申请的证书虽然不能直接用,但是它本身是尚未过期的,所以需要用到这个参数。
:::
2. 你最终应该看到跟上面很像的提示:
```log
vpsadmin@vps-server:~$ acme.sh --issue -d 二级域名.你的域名.com -w /home/vpsadmin/www/webpage --keylength ec-256
[Wed 30 Dec 2022 15:22:51 AM EST] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Wed 30 Dec 2022 15:22:51 AM EST] Creating domain key
[Wed 30 Dec 2022 15:22:51 AM EST] The domain key is here: /home/vpsadmin/.acme.sh/二级域名.你的域名.com_ecc/二级域名.你的域名.com.key
[Wed 30 Dec 2022 15:22:51 AM EST] Single domain='二级域名.你的域名.com'
[Wed 30 Dec 2022 15:22:51 AM EST] Getting domain auth token for each domain
[Wed 30 Dec 2022 15:22:51 AM EST] Getting webroot for domain='二级域名.你的域名.com'
[Wed 30 Dec 2022 15:22:51 AM EST] Verifying: 二级域名.你的域名.com
[Wed 30 Dec 2022 15:22:51 AM EST] Pending
[Wed 30 Dec 2022 15:22:51 AM EST] Success
[Wed 30 Dec 2022 15:22:51 AM EST] Verify finished, start to sign.
[Wed 30 Dec 2022 15:22:51 AM EST] Lets finalize the order.
[Wed 30 Dec 2022 15:22:51 AM EST] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/490205996/7730242872'
[Wed 30 Dec 2022 15:22:51 AM EST] Downloading cert.
[Wed 30 Dec 2022 15:22:51 AM EST] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/vsxvk0oldnuobe51ayxz4dms62sk2dwmw9zhuw'
[Wed 30 Dec 2022 15:22:51 AM EST] Cert success.
--BEGIN CERTIFICAT--
sxlYqPvWreKgD5b8JyOQX0Yg2MLoRUoDyqVkd31PthIiwzdckoh5eD3JU7ysYBtN
cTFK4LGOfjqi8Ks87EVJdK9IaSAu7ZC6h5to0eqpJ5PLhaM3e6yJBbHmYA8w1Smp
wAb3tdoHZ9ttUIm9CrSzvDBt6BBT6GqYdDamMyCYBLooMyDEM4CUFsOzCRrEqqvC
2mTTEmhvpojo5rhdTSJxibozyNWTGwoTj0v9pTUeQcGqLIzqi4DowjBHD5guwRid
SjAFnm6JT2xUQgWFm58A1gv1OhbH1TRPUUmtE1nFEN7YiSjI4xgxqAXT3CLD2EUb
wXlUrO6c75zSsQP4bRMzgOjJUqHtSb6IEqELzt4M7KzL5iCOruCChCo2DZxUwvVX
tOoaAyQJzCbTqE6aUqwiKi3gVyoxvDP9mI5JdRYzsDL6GVud7EHPnYeMl9ubLZAK
0vg84mbMP3f6mYM4KRa1cqiyOIcQPT4AzGFYVv4sm049bZQg7sd0Bz9CaFvE7yDA
1y17XlgCDnsjxl66bqI1vkENN9XT5xeFHONqc18b5fZEKSIvdX7iWPFWp1PyMPpG
0pMCP1EymZNFxIMJLgbWqExwLWfPc5Ib3PjBaIqhXPnw6sT2MQSxXwDupq1UJVhV
7E3hQRVlwI4CXi6WLHJMNvNRyyK87gCrLH1bKYsPeRVaz77poWBq49zwBCts6hPY
IeF4ltGXyANNIOPEi8vy138fRU4LYh81d8FjOtFfJZogMjwhfNvapqxPMsioPlmX
TnZu0n7setrVNUEfTMHWqPpDgk5MPrWLA4LapqaDfEX4pwnQJLMwMi6s94z165c0
iMRSKA1yU5zqv8aNsDfPoY4OkSPWs4MaXgRRSLBsUfZ15DwQXPk76kegHIyxWvwF
tYw9HKR5QCMK66fa0z4aJoFVFLK0IIOGEZOanRFUCnkLUDd3QZ3YU8lEcrj7Uxos
haiRNICyC6UfsCJ94a8vcNyMosPv3xBLMp19WXgiFYqEFQkntkv1FLRI35fjeJmg
0fmD9VG9bkzGPHihJgQLRlCHasGf6XrdfkSsODAyCUHUHJ0RzqF4YEZMcxDxzuQ2
YO7bFwj7S3mUdVPZ6MPasjxdyBjJgEBMch2uy4AhmudXfEBQBye8W6ZI4ztZjLVV
FmP4SIuaNUmMe20TjR8b9NVC96AhxOanWT3mRROsdokpKQGTJvl27EHH8KuAbUOc
G6KtPy4wslNZNXWcBy9n63RcWak12r7kAIFn38tZxmlw2WUKoRSMAH64GcDTjRQd
Am65hBHzvGrj93wEuVNIebvNIsJOlng3HFjpIxVqKGMCIfWIKGDE3YzK3p4LbGZ6
NZFQWYJLNVf2M9CCJfbEImPYgvctrxl39H6KVYPCw1SAdaj9NneUqmREOQkKoEB0
x6PmNirbMscHhQPSC0JQaqUgaQFgba1ALmzRYAnYhNb0twkTxWbY7DBkAarxqMIp
yiLKcBFc5H7dgJCImo7us7aJeftC44uWkPM=
--END CERTIFICAT--
[Wed 30 Dec 2022 15:22:52 AM EST] Your cert is in /home/vpsadmin/.acme.sh/二级域名.你的域名.com_ecc/二级域名.你的域名.com.cer
[Wed 30 Dec 2022 15:22:52 AM EST] Your cert key is in /home/vpsadmin/.acme.sh/二级域名.你的域名.com_ecc/二级域名.你的域名.com.key
[Wed 30 Dec 2022 15:22:52 AM EST] The intermediate CA cert is in /home/vpsadmin/.acme.sh/二级域名.你的域名.com_ecc/ca.cer
[Wed 30 Dec 2022 15:22:52 AM EST] And the full chain certs is there: /home/vpsadmin/.acme.sh/二级域名.你的域名.com_ecc/fullchain.cer
```
3. 仔细观察,你会发现这次给你发证书的域名是 `https://acme-v02.api.letsencrypt.org`,少了 `staging`,自然就是【正式服】了!
## 6.5 证书安装
1. 证书申请完成后,需要安装,安装到指定位置,并在配置文件中引用即可:
```shell
vpsadmin@vps-server:~$ acme.sh --installcert -d 二级域名.你的域名.com --cert-file /你要安装到的位置/cert.crt --key-file /你要安装到的位置/cert.key --fullchain-file /你要安装到的位置/fullchain.crt --ecc
[Mon 14 Feb 2022 03:00:25 PM CST] Installing cert to: /etc/xray/cert/cert.crt
[Mon 14 Feb 2022 03:00:25 PM CST] Installing key to: /etc/xray/cert/cert.key
[Mon 14 Feb 2022 03:00:25 PM CST] Installing full chain to: /etc/xray/cert/fullchain.crt
```
## 6.6 你的进度
至此Xray 所需要的两个基础设施终于全部就位!千呼万唤始出来的 Xray 马上就要揭开面纱,我们终于要进入最激动人心章节啦!
> ⬛⬛⬛⬛⬛⬛⬜⬜ 75%
> ⬛⬛⬛⬛⬛⬛⬜⬜ 75%