setup https server via An ACME Shell script on nginx

I will give every detail steps when I setup https server for https://git.errong.win.
You can refer as a guide.

acme.sh

acme.sh is probably the easiest & smartest shell script toautomatically issue & renew the free certificates from Let's Encrypt.
Install the shell script via guide

http server nginx conf

First, let's setup a http server first via nginx.
After you installed nginx, the simple way to setup a http server is to add a conf file under /etc/nginx/sites-enabled/ folder.
cat /etc/nginx/sites-enabled/git.errong.com.conf
server {
    listen       80;
    listen       [::]:80;
    server_name  git.errong.com;

    location / {
        root   html;
        index  index.html index.htm;
    }
}
Reload nginx via sudo nginx -s reload

issue free certificates

sudo acme.sh --issue --home /etc/letsencrypt --domain example.com --webroot /home/errong_leng/www/git --reloadcmd "nginx -s reload" --accountemail errong.leng@gmail.com
[Wed Jun 13 01:51:07 UTC 2018] Single domain='git.errong.win'
[Wed Jun 13 01:51:07 UTC 2018] Getting domain auth token for each domain
server {
[Wed Jun 13 01:51:07 UTC 2018] Getting webroot for domain='git.errong.win'
[Wed Jun 13 01:51:07 UTC 2018] Getting new-authz for domain='git.errong.win'
[Wed Jun 13 01:51:08 UTC 2018] The new-authz request is ok.
[Wed Jun 13 01:51:08 UTC 2018] Verifying:git.errong.win
[Wed Jun 13 01:51:11 UTC 2018] Success
[Wed Jun 13 01:51:11 UTC 2018] Verify finished, start to sign.
[Wed Jun 13 01:51:12 UTC 2018] Cert success.

[Wed Jun 13 01:51:12 UTC 2018] Your cert is in  /etc/letsencrypt/git.errong.win/git.errong.win.cer 
[Wed Jun 13 01:51:12 UTC 2018] Your cert key is in  /etc/letsencrypt/git.errong.win/git.errong.win.key 
[Wed Jun 13 01:51:12 UTC 2018] The intermediate CA cert is in  /etc/letsencrypt/git.errong.win/ca.cer 
[Wed Jun 13 01:51:12 UTC 2018] And the full chain certs is there:  /etc/letsencrypt/git.errong.win/fullchain.cer 
[Wed Jun 13 01:51:12 UTC 2018] Run reload cmd: nginx -s reload
[Wed Jun 13 01:51:12 UTC 2018] Reload success
Ok. We have ssl certificates now.
ssl_certificate /etc/letsencrypt/git.errong.win/fullchain.cer; 
ssl_certificate_key /etc/letsencrypt/git.errong.win/git.errong.win.key; 

https server nginx conf

cat /etc/nginx/sites-enabled/git.errong.win-ssl.conf
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name git.errong.win;
    location / {
        root   html;
        index  index.html index.htm;
    }
}
 
Now. everything is ready.
Just reload nginx server.
You will find http://git.errong.win and https://git.errong.win work welll now.
Remind :
please replace the server name "git.errong.win" to yours.

Samba add user for share

add user

sudo smbpasswd -a USER
sudo smbpasswd -e USER

set up share path

/etc/samba/smb.conf
[USER] 
       comment = USER home 
       path = /home/USER 
       writeable = yes 
       public=yes 
       browseable = yes 
       create mode = 776 
       force directory mode = 776 

restart samba service

sudo systemctl restart smbd.service
sudo systemctl restart nmbd.service

if still can't access, then check below config

/etc/samba/smb.conf
[global]    hosts allow = #add your IP here 
restart samba service again, it should work now.

Fix issue : grunt init failed with error Couldn't find match for "

Issue

PS D:\Ghost> grunt init
Running "update_submodules:pinned" (update_submodules) task

Running "subgrunt:init" (subgrunt) task
yarn install v1.7.0
[1/5] Validating package.json...
[2/5] Resolving packages...
[3/5] Fetching packages...
warning Pattern ["glob@latest"] is trying to unpack in the same destination "C:\\Users\\lenger\\AppData\\Local\\Yarn\\Ca
che\\v1\\npm-glob-7.1.2-c19c9df9a028702d678612384a6552404c636d15" as pattern ["glob@^7.0.5","glob@^7.0.5","glob@^7.1.0",
"glob@^7.0.4","glob@^7.1.2","glob@^7.0.3","glob@^7.0.3","glob@^7.0.0","glob@7.1.2","glob@^7.0.3"]. This could result in
non-deterministic behavior, skipping.
error Couldn't find match for "8dc6b689903c9363ade94e2e4d21c94813bbbe98" in "refs/heads/master,refs/heads/node-4-compat,
refs/tags/v0.0.1,refs/tags/v0.0.2,refs/tags/v0.0.3,refs/tags/v0.1.0,refs/tags/v0.1.1" for "https://github.com/kevinansfi
eld/eslint-plugin-sort-imports-es6-autofix.git".
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
Warning: Failed installing node modules in "core/client". Use --force to continue.

Aborted due to warnings.

Solution

find -name "yarn.lock" | xargs rm -f 
then grunt init again
grunt init 

Transfer your ghost server between hosts

Assume you have a ghost server ran at a host machine.
Oneday the host machine maybe out of space or you find a new cheap host,
or you have a new host that have power memory and performance.
Then you may need to transfer your ghost server to another new host.

tar your ghost server to a *.tar.gz

//blog is my ghost server root directory
$cd www/blog
$tar -zcvf blog.tar.gz blog
copy the blog.tar.gz to the new host

preinstall on new host

nginx
sudo apt-get install nginx
node.js
https://nodejs.org/en/download/
extract and add node bin path to env
ghost
npm i -g ghost-cli 
acme.sh
https://github.com/Neilpang/acme.sh

configure on new host

tar cvf blog.tar.gz 

nginx conf

sudo ln -sf blog/system/files/blog.conf /etc/nginx/sites-available/blog.conf
sudo ln -sf /etc/nginx/sites-available/blog.conf /etc/nginx/sites-enabled/blog.conf

start http server

ghost start 
if you encounter systemd error, just follow the hint command(ghost linuxuser systemd) by ghost
and run ghost start again.
Before you start your ghost server, you should change the DNS record for your server. Since you changed host, the IP would changed.

enable https server via letsencrypt

sudo ln -sf blog/system/files/blog-ssl.conf /etc/nginx/sites-available/blog-ssl.conf
sudo ln -sf /etc/nginx/sites-available/blog-ssl.conf /etc/nginx/sites-enabled/blog-ssl.conf
acme.sh --issue --home /etc/letsencrypt --domain errong.win --webroot /home/errong_leng/www/blog/system/nginx-root --reloadcmd "nginx -s reload" --accountemail errong.leng@gmail.com

http nginx conf

server {
    listen 80;
    listen [::]:80;

    server_name errong.win;
    root /home/errong_leng/www/blog/system/nginx-root;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:6666;
        
    }

    location ~ /.well-known {
        allow all;
    }

    client_max_body_size 50m;
}

https nginx conf

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name errong.win;
    root /home/errong_leng/www/blog/system/nginx-root;

    ssl_certificate /etc/letsencrypt/errong.win/fullchain.cer;
    ssl_certificate_key /etc/letsencrypt/errong.win/errong.win.key;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:6666;
        
    }

    location ~ /.well-known {
        allow all;
    }

    client_max_body_size 50m;
}

setup shadowsocks server on ubuntu 16.04

install

sudo apt-get install software-properties-common -y
sudo add-apt-repository ppa:max-c-lv/shadowsocks-libev -y
sudo apt-get update
sudo apt install shadowsocks-libev

configure

sudo vim /etc/shadowsocks-libev/config.json
{
    "server":"10.128.0.2",
    "server_port":8911,
    "local_port":1008,
    "password":"jesusislove",
    "timeout":60,
    "method":"chacha20-ietf-poly1305"
}

start server

sudo systemctl start shadowsocks-libev

google compute engine

If the server are running on a google compute engine,
You need to setup a firewall rules for the server port(8911, written in config.json).
shadowsocks
Apply to all
IP ranges: 0.0.0.0/0
tcp:8911, udp:8911
Allow

client configuration

iOS
Android
Shadowsocks for Android / iOS also accepts BASE64 encoded URI format configs:
ss://BASE64-ENCODED-STRING-WITHOUT-PADDING#TAG 
Where the plain URI should be:
ss://method:password@hostname:port 
Quick Guide

他的力量若不够

利未记五7、11

7「他的力量若不够献一只羊羔,就要因所犯的罪,把两只斑鸠或是两只雏鸽带到耶和华面前为赎愆祭:一只作赎罪祭,一只作燔祭。

11「他的力量若不够献两只斑鸠或是两只雏鸽,就要因所犯的罪带供物来,就是细面伊法十分之一为赎罪祭;不可加上油,也不可加上乳香,因为是赎罪祭。


Photo by Brooke Lark / Unsplash

expressjs : implement http file download

Express helper, res.download

Express has a helper for this:
app.get('/xxx', function(req, res){ 
  var file = __dirname + '/xxx'; 
  res.download(file); // Set disposition and send it. 
}); 

http file download header

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition
res.setHeader('Content-disposition', 'attachment; filename=xxx'); 

fixed: embedded-redis: Unable to run on macOS Sonoma

Issue you might see below error while trying to run embedded-redis for your testing on your macOS after you upgrade to Sonoma. java.la...