自力更生的 Seedbox 指南

September 22, 2019
Servers

最初是啥来着,应该是有感于教育网 PT 做种费事儿~~(其实是想下毛片)~~,然后打算整一个所谓大盘鸡来做个 BT。谁知道因为这样那样的原因,总是在原有的基础上倒腾新的技术和方案,所以就变复杂喽。

声明

由于那样这样的原因,Copyright Owner 的拳头比较硬。在选择 Seedbox 服务器提供商的时候请慎重,建议在 TOS 里头找找 copyright law Torrent P2P 等关键字,确定商家对于 DMCA 投诉的态度。

I'm using Arch BTW. 不能用 Arch 的也用的 Ubuntu,啊,如果有 Debian buster 的话,还是用 Debian 好了,Ubuntu 的 moto 组件很恶心的。

软件

P.S. 单纯的文件拖回其实 Caddy 配合 IDM 就够了,但是神奇的在于多线程下载会造成文件损坏,毛片的马赛克变多了,还掉帧 ;而且有些蓝光资源,游戏资源以及91porn合集资源,会存在文件夹路径复杂,不方便拖回的情况,所以采用 Syncthing 来搞定。(速度是慢了,以后再想办法解决吧)

什么,你说 Resilio Sync?不好意思这家伙好像掉钱眼了其实是手痒总想自己编译

下载的资源存放于 /srv/http/neko 里面,为了方便文件的操作,neko 文件夹以及下载的资源都将以 777 的权限存在。(反正都是用来下载的东西,怂个蛋)

调整内核参数

这一步应该说可有可无?如果是独立内核的机子就调一下呗:

写入文件 :/etc/sysctl.d/98-network-tuning.conf

# http://www.nateware.com/linux-network-tuning-for-2013.html
# Increase Linux autotuning TCP buffer limits
# Set max to 16MB for 1GE and 32M (33554432) or 54M (56623104) for 10GE
# Don't set tcp_mem itself! Let the kernel scale it based on RAM.
net.core.rmem_max = 26214400
net.core.wmem_max = 26214400
net.core.rmem_default = 26214400
net.core.wmem_default = 26214400
net.core.optmem_max = 40960

# increase upper limit on how many connections the kernel will accept 
net.core.somaxconn = 4096

# cloudflare uses this for balancing latency and throughput
# https://blog.cloudflare.com/the-story-of-one-latency-spike/

net.ipv4.tcp_rmem = 4096 1048576 2097152

net.ipv4.tcp_wmem = 4096 65536 16777216

# Also increase the max packet backlog
net.core.netdev_max_backlog = 100000
net.core.netdev_budget = 50000

# Make room for more TIME_WAIT sockets due to more clients,
# and allow them to be reused if we run out of sockets
net.ipv4.tcp_max_syn_backlog = 30000
net.ipv4.tcp_max_tw_buckets = 2000000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_fin_timeout = 10

# Disable TCP slow start on idle connections
net.ipv4.tcp_slow_start_after_idle = 0

# If your servers talk UDP, also up these limits
net.ipv4.udp_rmem_min = 16384
net.ipv4.udp_wmem_min = 16384

# New parameter since kernel 4.12
# https://github.com/leandromoreira/linux-network-performance-parameters#interrupt-coalescing-soft-irq-and-ingress-qdisc
net.core.netdev_budget_usecs = 5000

# https://github.com/netdata/netdata/issues/1076

# TFO
net.ipv4.tcp_fastopen = 3

# BBR
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr

# Helps protect against SYN flood attacks. Only kicks in when net.ipv4.tcp_max_syn_backlog is reached: 
net.ipv4.tcp_syncookies = 1

# The longer the MTU the better for performance, but the worse for reliability.
# This is because a lost packet means more data to be retransmitted 
# and because many routers on the Internet can't deliver very long packets: 
# https://blog.cloudflare.com/path-mtu-discovery-in-practice/
net.ipv4.tcp_mtu_probing = 1

# Protect against tcp time-wait assassination hazards
# drop RST packets for sockets in the time-wait state.
# Not widely supported outside of Linux, but conforms to RFC:
net.ipv4.tcp_rfc1337 = 1

fs.file-max = 51200

执行:

sudo sysctl --system

Transmission

安装一堆东西

很多都是以前编译 SS 留下的东西,装了也不差个啥,直接装呗:

Arch:

sudo pacman -Sy gettext gcc autoconf libtool automake make asciidoc xmlto c-ares libev haveged perl-archive-zip net-tools bind-tools git zsh transmission-cli golang

Ubuntu/Debian:

sudo apt install --no-install-recommends gettext build-essential autoconf libtool libpcre3-dev asciidoc xmlto libev-dev libc-ares-dev automake libssl-dev zlib1g-dev haveged libarchive-zip-perl dnsutils software-properties-common

然后记得把 haveged 给开了

sudo systemctl start haveged
sudo systemctl enable haveged

Ubuntu 的话可以装最新的 Transmission 了。

sudo add-apt-repository ppa:transmissionbt/ppa
sudo apt update
sudo apt install transmission-daemon

使用自定义的 Transmission systemd unit file

创建文件 /etc/systemd/system/transmission.service

[Unit]
Description=Transmission BitTorrent Daemon
After=network-online.target

[Service]
User=omicron
Type=simple
ExecStart=/usr/bin/transmission-daemon -f --log-error
ExecStop=/bin/kill -s STOP $MAINPID
ExecReload=/bin/kill -s HUP $MAINPID
Restart=on-failure
RestartSec=3
LimitNOFILE=500000
LimitNPROC=500000

[Install]
WantedBy=multi-user.target

P.S. 这里的 User 记得改成自己的用户名,还有,你要是用的 root 在看这文章的话,呃,我觉得您还是别看了,毕竟我比较懒,很多小步骤都没说,用 root 的肯定看不明白。

启动再关闭以生成配置文件

sudo systemctl start transmission
sudo systemctl stop tranmission

配置文件在 ~/.config 下面的 transmission 文件夹里面, settings.json

{
    "alt-speed-down": 50,
    "alt-speed-enabled": false,
    "alt-speed-time-begin": 540,
    "alt-speed-time-day": 127,
    "alt-speed-time-enabled": false,
    "alt-speed-time-end": 1020,
    "alt-speed-up": 50,
    "bind-address-ipv4": "0.0.0.0",
    "bind-address-ipv6": "::",
    "blocklist-enabled": false,
    "blocklist-url": "http://www.example.com/blocklist",
    "cache-size-mb": 4,
    "dht-enabled": true,
    "download-dir": "/srv/http/neko",
    "download-limit": 100,
    "download-limit-enabled": 0,
    "download-queue-enabled": true,
    "download-queue-size": 20,
    "encryption": 1,
    "idle-seeding-limit": 30,
    "idle-seeding-limit-enabled": false,
    "incomplete-dir": "/var/lib/transmission-daemon/Downloads",
    "incomplete-dir-enabled": false,
    "lpd-enabled": true,
    "max-peers-global": 999999,
    "message-level": 1,
    "peer-congestion-algorithm": "",
    "peer-id-ttl-hours": 6,
    "peer-limit-global": 16959,
    "peer-limit-per-torrent": 16959,
    "peer-port": 59361,
    "peer-port-random-high": 65535,
    "peer-port-random-low": 49152,
    "peer-port-random-on-start": true,
    "peer-socket-tos": "default",
    "pex-enabled": true,
    "port-forwarding-enabled": false,
    "preallocation": 1,
    "prefetch-enabled": true,
    "queue-stalled-enabled": true,
    "queue-stalled-minutes": 30,
    "ratio-limit": 0,
    "ratio-limit-enabled": true,
    "rename-partial-files": true,
    "rpc-authentication-required": true,
    "rpc-bind-address": "0.0.0.0",
    "rpc-enabled": true,
    "rpc-host-whitelist": "",
    "rpc-host-whitelist-enabled": false,
    "rpc-password": "passwd",
    "rpc-port": 15666,
    "rpc-url": "/transmission/",
    "rpc-username": "username",
    "rpc-whitelist": "127.0.0.1",
    "rpc-whitelist-enabled": false,
    "scrape-paused-torrents-enabled": true,
    "script-torrent-done-enabled": false,
    "script-torrent-done-filename": "",
    "seed-queue-enabled": true,
    "seed-queue-size": 1,
    "speed-limit-down": 100,
    "speed-limit-down-enabled": false,
    "speed-limit-up": 6,
    "speed-limit-up-enabled": true,
    "start-added-torrents": true,
    "trash-original-torrent-files": false,
    "umask": 0,
    "upload-limit": 6,
    "upload-limit-enabled": 1,
    "upload-slots-per-torrent": 0,
    "utp-enabled": true
}

要直接用上面的话需要自己改一下 控制面板的端口,用户名,密码,然后文件保存位置我设置的为 srv/http/neko 用于方便后面和 caddy 的对接。

然后该开机启动该跑起来的啥的自己调一下就 OK。以及,目录不存在就自己创建。

拖回与控制

拖回主要使用 http 与 syncthing 两种方案。

使用 http 配合 IDM 很爽,但是有时候会出现文件损坏,我觉得不应该是下载的东西错了,很有可能是由多线程下载 range 出错导致的文件整合错误。解决方案就是重启 http 程序,然后重新下一遍。另外,基本在下载大文件的时候出错是必然的。

syncthing 是基于 BT 协议的一个东西。当初看中他就是因为 BT 协议把文件分 Block,并会在下载的时候对每一个 Block 进行 hash 验证。但是由于 ISP 对单个 TCP 链接一般都有限制,即便带宽允许,速度也很难跑满。家宽 http 能把 100Mbps 跑满的话,syncthing 大抵只能有十分之一。

然后就是控制了,不论是 Transmission,还是 syncthing,控制面板都是基于 http。也就是说,需要按照需求和能力单独设置对应的 http instance。

http

创建一个 caddy 文件夹,并创建 build.go

package main

import (
    "github.com/caddyserver/caddy/caddy/caddymain"
    
    // plug in plugins here, for example:
    // _ "import/path/here"
)

func main() {
    // optional: disable telemetry
    caddymain.EnableTelemetry = false
    caddymain.Run()
}

初始化 go module

go mod init caddy

直接 build

go build -ldflags="-s -w"

然后你就得到了一个 executable file

扔到 /usr/local/bin 下面去。

P.S. 遇到坑爹的报错请善待 Google/StartPage

Systemd

/etc/systemd/system/caddy.service


[Unit]
Description=Caddy HTTP/2 web server 
After=network-online.target

[Service]
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
User=omicron
ExecStart=/usr/local/bin/caddy -agree=true -quic -conf=/opt/caddy/Caddyfile
Restart=on-failure
RestartSec=10
WorkingDirectory=/srv/http
; create a private temp folder that is not shared with other processes
PrivateTmp=true
LimitNOFILE=500000
LimitNPROC=500000

[Install]
WantedBy=multi-user.target

配置文件

/opt/caddy/Caddyfile

download.example.com:443 {
    root /srv/http
    timeouts none
    gzip
    browse
    fastcgi / /run/php/php7.2-fpm.sock php # Ubuntu
    fastcgi / /run/php-fpm/php-fpm.sock php # Arch
    basicauth /neko username passwd
    mime .mkv video/x-matroska
    tls {
        alpn h2
        key_type p384
    }
    header / Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
}

transmission-remoter.example.com:443 {
    timeouts none
    gzip
    proxy / 127.0.0.1:15666 
    tls {
        alpn h2
        key_type p384
    }
}

syncthing.example.com:443 {
    timeouts none
    gzip
    proxy / 127.0.0.1:8384
    basicauth / username passwd
    tls {
        alpn h2
        key_type p384
    }
}

P.S.

Syncthing 编译 & 配置

讲道理,BT 伤硬盘,这货下载又磨叽,记得整一个坏了也不心疼的垃圾盘挂着

Build from Source

获取代码:

git clone https://github.com/syncthing/syncthing.git

检查 Tag,看一下最新的 stable release:

git tag -l

切换到那个 Tag

git checkout vxxxx

编译

go run build.go build syncthing -no-upgrade

依旧是扔 /usr/local/bin

Systemd

[Unit]
Description=Syncthing - Open Source Continuous File Synchronization
Documentation=man:syncthing(1)
After=network.target

[Service]
Type=simple
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
ExecStart=/usr/local/bin/syncthing -no-browser -no-restart -logflags=0 -home=/opt/sync
User=omicron
Restart=on-failure
RestartSec=3
SuccessExitStatus=3 4
RestartForceExitStatus=3 4
LimitNOFILE=500000
LimitNPROC=500000

# Hardening
PrivateTmp=true
SystemCallArchitectures=native
MemoryDenyWriteExecute=true
NoNewPrivileges=true

[Install]
WantedBy=default.target

然后启动啊啥的

默认面板在本地回环的 8384 端口

Configuration

打开上面设置的面板。

打开 Advanced settings

Windows 启动脚本

SS 代理

SS.bat

set all_proxy=socks5://127.0.0.1:1080
set ALL_PROXY_NO_FALLBACK=1
syncthing.exe -home=Syncthing

直连

Direct.bat

syncthing.exe -home=Syncthing

PHP 简易设置

add-apt-repository ppa:ondrej/php
sudo apt update
sudo apt install php-fpm

找到 php 的 www.conf

更改:

user = omicron
group = omicron

listen.owner = omicron
listen.group = omicron

重启:

sudo systemctl restart php7.3-fpm # Ubuntu

sudo systemctl restart php-fpm # Arch

sudo systemctl enable ....................

然后自己随便找一个文件管理的 php 模板,不然每次都得 ssh 登录岂不是很蛮烦。

意义不明的代码

aHR0cHM6Ly9yYXJiZ3ByeC5vcmcvdG9ycmVudHMucGhwCmh0dHBzOi8vc2hhcmUuZG1oeS5vcmcvCmh0dHBzOi8vc3VrZWJlaS5ueWFhLnNpLwpodHRwczovL3N1a2ViZWkucGFudHN1LmNhdC8=

TLS Certificate and Public Key Pinning

November 27, 2019
Servers

nftables 上手小记

February 27, 2019
Servers

使用 Cron 设置定时任务

当初还是小白的时候看这个好高端的
Servers
comments powered by Disqus.
Can't load? Check your connectivity and try again.