Kedaden sing dening Profesi aku administrator saka sistem komputer lan jaringan (ing singkat: administrator sistem), lan aku duwe kesempatan kanggo ngomong prof kanggo sethitik luwih saka 10 taun. aktivitas saka macem-macem saka sudhut sistem, kalebu sing mbutuhake langkah keamanan [ekstrem]. Kedaden uga sawetara wektu kepungkur aku ketemu menarik dev
, dadi, aku liwat). Nanging aku ora ngomong babagan pembangunan, aku ngomong babagan lingkungan sing aman lan efisien kanggo aplikasi.
Teknologi keuangan (fintech) menyang jejere keamanan informasi (infosek) lan sing pisanan bisa kerja tanpa sing kapindho, nanging ora suwe. Pramila aku pengin nuduhake pengalaman lan set alat sing digunakake, sing kalebu loro-lorone fintechlan infosek, lan ing wektu sing padha, lan uga bisa digunakake kanggo tujuan sing luwih jembar utawa beda. Ing artikel iki aku bakal pitutur marang kowe ora dadi luwih bab Bitcoin, nanging bab model infrastruktur kanggo pangembangan lan operasi financial (lan ora mung) layanan - ing tembung, layanan sing ngendi "B" prakara. Iki ditrapake kanggo ijol-ijolan Bitcoin lan layanan zoo perusahaan sing paling khas saka perusahaan cilik sing ora nyambung karo Bitcoin kanthi cara apa wae.
Aku kaya kanggo Wigati sing aku ndhukung prinsip "tetep simpel wae" и "kurang luwih", mulane, artikel lan apa sing dijlentrehake ing kono bakal nduweni sipat sing ana ing prinsip kasebut.
Skenario khayalan: Ayo ndeleng kabeh nggunakake conto exchanger bitcoin. Kita mutusake kanggo miwiti ijol-ijolan rubel, dolar, euro kanggo bitcoins lan bali, lan kita wis duwe solusi sing bisa digunakake, nanging kanggo dhuwit digital liyane kaya qiwi lan webmoney, i.e. Kita wis nutup kabeh masalah legal, kita duwe aplikasi siap-digawe sing serves minangka gateway pembayaran kanggo rubles, dolar lan euro lan sistem pembayaran liyane. Disambungake menyang akun bank lan duwe sawetara jinis API kanggo aplikasi pungkasan. Kita uga duwe aplikasi web sing tumindak minangka exchanger kanggo pangguna, uga, kaya akun qiwi utawa webmoney khas - nggawe akun, nambah kertu, lan liya-liyane. Komunikasi karo aplikasi gateway kita, sanajan liwat REST API ing wilayah lokal. Lan supaya kita mutusake kanggo nyambung bitcoins lan ing wektu sing padha nganyarke infrastruktur, amarga ... Kaping pisanan, kabeh wis cepet-cepet ing virtualboxes ing kantor ing ngisor meja ... situs wiwit digunakake, lan kita wiwit padha sumelang ing bab uptime lan kinerja.
Dadi, ayo miwiti kanthi utama - milih server. Amarga bisnis ing conto kita cilik lan kita dipercaya hoster (OVH) kita bakal milih
Instalasi server
Kabeh iku prasaja ing kene. Kita milih hardware sing cocog karo kabutuhan. Banjur pilih gambar FreeBSD. Inggih, utawa kita nyambung (ing cilik saka hoster liyane lan hardware kita dhewe) liwat IPMI utawa karo monitor lan feed gambar .iso FreeBSD menyang download. Kanggo persiyapan orkestra aku nggunakake
Instalasi sistem kasebut ditindakake kanthi cara standar, aku ora bakal mikir babagan iki, aku mung bakal nyathet yen sadurunge miwiti operasi, kudu digatekake. atos opsi sing nawakake bsdinstaller
ing pungkasan instalasi (yen sampeyan nginstal sistem dhewe):
Ana
Sampeyan uga bisa ngaktifake paramèter sing kasebut ing ndhuwur ing sistem sing wis diinstal. Kanggo nindakake iki, sampeyan kudu ngowahi file bootloader lan ngaktifake paramèter kernel. *ee iku editor kaya iki ing BSD
# ee /etc/rc.conf
...
#sec hard
clear_tmp_enable="YES"
syslogd_flags="-ss"
sendmail_enable="NONE"
# ee /etc/sysctl.conf
...
#sec hard
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=$(jot -r 1 9999)
security.bsd.stack_guard_page=1
Sampeyan uga kudu nggawe manawa sampeyan duwe versi paling anyar saka sistem diinstal, lan
Banjur kita ngatur aide
, ngawasi status file konfigurasi sistem. Sampeyan bisa maca luwih rinci
pkg install aide
lan nyunting crontab kita
crontab -e
06 01 * * 0-6 /root/chkaide.sh
#! /bin/sh
#chkaide.sh
MYDATE=`date +%Y-%m-%d`
MYFILENAME="Aide-"$MYDATE.txt
/bin/echo "Aide check !! `date`" > /tmp/$MYFILENAME
/usr/local/bin/aide --check > /tmp/myAide.txt
/bin/cat /tmp/myAide.txt|/usr/bin/grep -v failed >> /tmp/$MYFILENAME
/bin/echo "**************************************" >> /tmp/$MYFILENAME
/usr/bin/tail -20 /tmp/myAide.txt >> /tmp/$MYFILENAME
/bin/echo "****************DONE******************" >> /tmp/$MYFILENAME
We kalebu
sysrc auditd_enable=YES
# service auditd start
Cara ngatur prakara iki kanthi sampurna diterangake ing
Saiki kita urip maneh lan nerusake menyang piranti lunak ing server. Saben server minangka hypervisor kanggo kontaner utawa mesin virtual lengkap. Mulane, penting yen prosesor ndhukung VT-x lan EPT yen kita rencana nggunakake virtualisasi lengkap.
Kanggo ngatur kontaner lan mesin virtual aku nggunakake
Wadhah? Docker maneh utawa apa?
Lan ing kene ora. cbsd
kanggo ngatur wadhah kasebut, sing diarani sel.
Kandhang minangka solusi sing efektif banget kanggo mbangun infrastruktur kanggo macem-macem tujuan, ing ngendi isolasi lengkap layanan utawa proses individu dibutuhake. Ateges, iku tiron saka sistem inang, nanging ora mbutuhake virtualisasi hardware lengkap. Lan amarga iki, sumber daya ora digunakake ing "OS tamu", nanging mung kanggo karya sing ditindakake. Nalika sel digunakake kanggo kabutuhan internal, iki minangka solusi sing trep banget kanggo nggunakake sumber daya sing optimal - sekelompok sel ing siji server hardware bisa nggunakake kabeh sumber daya server yen perlu. Ngelingi sing biasane beda subservices mbutuhake tambahan. sumber daya ing wektu sing beda-beda, sampeyan bisa extract kinerja maksimum saka siji server yen rencana mlaku lan Balance sel antarane server. Yen perlu, sel uga bisa diwenehi watesan babagan sumber daya sing digunakake.
Kepiye babagan virtualisasi lengkap?
Sejatine aku ngerti cbsd
ndhukung karya bhyve
lan hypervisor XEN. Aku ora tau nggunakake sing kapindho, nanging sing pisanan relatif anyar bhyve
ing conto ing ngisor iki.
Nginstal lan Konfigurasi Lingkungan Host
Kita nggunakake FS
gpart add -t freebsd-zfs /dev/ada0
/dev/ada0p4 added!
nambah partisi disk menyang papan sing isih ana
geli init /dev/ada0p4
ketik sandhi enkripsi kita
geli attach /dev/ada0p4
Kita ngetik sandhi maneh lan kita duwe piranti /dev/ada0p4.eli - iki papan sing dienkripsi. Banjur kita mbaleni padha kanggo / dev / ada1 lan liyane saka disk ing Uploaded. Lan kita nggawe sing anyar
zpool create vms mirror /dev/ada0p4.eli /dev/ada1p4.eli /dev/ada3p4.eli
- Inggih, kita duwe kit pertempuran minimal siap. A Uploaded mirrored disk yen salah siji saka telu gagal.
Nggawe dataset ing "blumbang" anyar
zfs create vms/jails
pkg install cbsd
- kita ngluncurake tim lan ngatur manajemen sel kita.
Sawise cbsd
diinstal, iku perlu kanggo miwiti:
# env workdir="/vms/jails" /usr/local/cbsd/sudoexec/initenv
Ya, kita mangsuli pirang-pirang pitakon, biasane nganggo jawaban standar.
* Yen sampeyan nggunakake enkripsi, iku penting sing daemon cbsdd
ora diwiwiti kanthi otomatis nganti sampeyan dekripsi disk kanthi manual utawa otomatis (ing conto iki ditindakake dening zabbix)
** Aku uga ora nggunakake NAT saka cbsd
, lan aku ngatur dhewe ing pf
.
# sysrc pf_enable=YES
# ee /etc/pf.conf
IF_PUBLIC="em0"
IP_PUBLIC="1.23.34.56"
JAIL_IP_POOL="192.168.0.0/24"
#WHITE_CL="{ 127.0.0.1 }"
icmp_types="echoreq"
set limit { states 20000, frags 20000, src-nodes 20000 }
set skip on lo0
scrub in all
#NAT for jails
nat pass on $IF_PUBLIC from $JAIL_IP_POOL to any -> $IP_PUBLIC
## Bitcoin network port forward
IP_JAIL="192.168.0.1"
PORT_JAIL="{8333}"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL
# service pf start
# pfctl -f /etc/pf.conf
Nyetel kabijakan firewall uga minangka topik sing kapisah, mula aku ora bakal nyiyapake kabijakan BLOCK ALL lan nyetel dhaptar putih, sampeyan bisa nindakake kanthi maca.
Inggih ... kita wis diinstal cbsd, iku wektu kanggo nggawe workhorse pisanan kita - setan Bitcoin caged!
cbsd jconstruct-tui
Ing kene kita ndeleng dialog nggawe sel. Sawise kabeh nilai wis disetel, ayo nggawe!
Nalika nggawe sel pisanan, sampeyan kudu milih apa sing bakal digunakake minangka basis sel. Aku milih distribusi saka gudang FreeBSD karo printah repo
. Pilihan iki mung digawe nalika nggawe sel pisanan saka versi tartamtu (sampeyan bisa dadi host sel saka versi apa wae sing luwih lawas tinimbang versi host).
Sawise kabeh wis diinstal, kita miwiti kandhang!
# cbsd jstart bitcoind
Nanging kita kudu nginstal piranti lunak ing kandhang.
# jls
JID IP Address Hostname Path
1 192.168.0.1 bitcoind.space.com /zroot/jails/jails/bitcoind
jexec bitcoind
kanggo njaluk menyang console sel
lan wis ana ing njero sel, kita nginstal piranti lunak kanthi dependensi (sistem host kita tetep resik)
bitcoind:/@[15:25] # pkg install bitcoin-daemon bitcoin-utils
bitcoind:/@[15:30] # sysrc bitcoind_enable=YES
bitcoind:/@[15:30] # service bitcoind start
Ana Bitcoin ing kandhang, nanging kita kudu anonim amarga kita pengin nyambung menyang sawetara kandhang liwat jaringan TOP. Umumé, kita rencana kanggo mbukak paling sel karo piranti lunak curiga mung liwat proxy. Matur nuwun kanggo pf
Sampeyan bisa mateni NAT kanggo sawetara alamat IP tartamtu ing jaringan lokal, lan ngidini NAT mung kanggo simpul TOR kita. Mangkono, sanajan malware mlebu ing sel, mesthine ora bakal komunikasi karo jagad njaba, lan yen ora, ora bakal mbukak IP server kita. Mulane, kita nggawe sel liyane kanggo "maju" layanan minangka layanan ". bawang" lan minangka proxy kanggo ngakses Internet kanggo sel individu.
# cbsd jsconstruct-tui
# cbsd jstart tor
# jexec tor
tor:/@[15:38] # pkg install tor
tor:/@[15:38] # sysrc tor_enable=YES
tor:/@[15:38] # ee /usr/local/etc/tor/torrc
Setel kanggo ngrungokake ing alamat lokal (kasedhiya kanggo kabeh sel)
SOCKSPort 192.168.0.2:9050
Apa maneh sing dibutuhake kanggo rasa seneng sing lengkap? Ya, kita butuh layanan kanggo web kita, bisa uga luwih saka siji. Ayo ngluncurake nginx, sing bakal dadi proxy reverse lan ngurus nganyari sertifikat Ayo Encrypt
# cbsd jsconstruct-tui
# cbsd jstart nginx-rev
# jexec nginx-rev
nginx-rev:/@[15:47] # pkg install nginx py36-certbot
Dadi, kita nyelehake 150 MB dependensi ing kandhang. Lan tuan rumah isih resik.
Ayo bali menyang nyetel nginx mengko, kita kudu ngunggahake rong sel maneh kanggo gateway pembayaran kita ing nodejs lan teyeng lan aplikasi web, sing sakperangan alesan ing Apache lan PHP, lan sing terakhir uga mbutuhake database MySQL.
# cbsd jsconstruct-tui
# cbsd jstart paygw
# jexec paygw
paygw:/@[15:55] # pkg install git node npm
paygw:/@[15:55] # curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
... lan liyane 380 MB paket diisolasi
Sabanjure, kita ngundhuh aplikasi kita karo git lan miwiti.
# cbsd jsconstruct-tui
# cbsd jstart webapp
# jexec webapp
webapp:/@[16:02] # pkg install mariadb104-server apache24 php74 mod_php74 php74-pdo_mysql
Paket 450 MB. ing kandhang.
ing kene kita menehi akses pangembang liwat SSH langsung menyang sel, dheweke bakal nindakake kabeh ing kana:
webapp:/@[16:02] # ee /etc/ssh/sshd_config
Port 2267
- ngganti port SSH saka sel menyang sembarang sembarang
webapp:/@[16:02] # sysrc sshd_enable=YES
webapp:/@[16:02] # service sshd start
Inggih, layanan wis mlaku, sing isih ana yaiku nambahake aturan kasebut pf
firewall
Ayo ndeleng apa IP sel kita lan apa "wilayah lokal" umume katon.
# jls
JID IP Address Hostname Path
1 192.168.0.1 bitcoind.space.com /zroot/jails/jails/bitcoind
2 192.168.0.2 tor.space.com /zroot/jails/jails/tor
3 192.168.0.3 nginx-rev.space.com /zroot/jails/jails/nginx-rev
4 192.168.0.4 paygw.space.com /zroot/jails/jails/paygw
5 192.168.0.5 webapp.my.domain /zroot/jails/jails/webapp
lan nambah aturan
# ee /etc/pf.conf
## SSH for web-Devs
IP_JAIL="192.168.0.5"
PORT_JAIL="{ 2267 }"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL
Ya, amarga kita ana ing kene, ayo tambahake aturan kanggo proxy-reverse:
## web-ports for nginx-rev
IP_JAIL="192.168.0.3"
PORT_JAIL="{ 80, 443 }"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL
# pfctl -f /etc/pf.conf
Inggih, saiki sethitik babagan bitcoins
Apa sing kita duweni yaiku kita duwe aplikasi web sing katon ing njaba lan ngobrol sacara lokal menyang gateway pembayaran. Saiki kita kudu nyiapake lingkungan kerja kanggo sesambungan karo jaringan Bitcoin dhewe - simpul bitcoind
iku mung daemon sing nyimpen salinan lokal saka blockchain anyar. Daemon iki nduweni fungsi RPC lan dompet, nanging ana "wrappers" sing luwih trep kanggo pangembangan aplikasi. Kanggo miwiti, kita mutusake kanggo nyelehake electrum
yaiku dompet CLI.
laptop. Saiki kita bakal nggunakake Electrum karo server umum, lan mengko kita bakal mundhakaken ing sel liyane
# cbsd jsconstruct-tui
# cbsd jstart electrum
# jexec electrum
electrum:/@[8:45] # pkg install py36-electrum
liyane 700 MB lunak ing kandhang kita
electrum:/@[8:53] # adduser
Username: wallet
Full name:
Uid (Leave empty for default):
Login group [wallet]:
Login group is wallet. Invite wallet into other groups? []:
Login class [default]:
Shell (sh csh tcsh nologin) [sh]: tcsh
Home directory [/home/wallet]:
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]: no
Lock out the account after creation? [no]:
Username : wallet
Password : <disabled>
Full Name :
Uid : 1001
Class :
Groups : wallet
Home : /home/wallet
Home Mode :
Shell : /bin/tcsh
Locked : no
OK? (yes/no): yes
adduser: INFO: Successfully added (wallet) to the user database.
Add another user? (yes/no): no
Goodbye!
electrum:/@[8:53] # su wallet
electrum:/@[8:53] # su wallet
wallet@electrum:/ % electrum-3.6 create
{
"msg": "Please keep your seed in a safe place; if you lose it, you will not be able to restore your wallet.",
"path": "/usr/home/wallet/.electrum/wallets/default_wallet",
"seed": "jealous win pig material ribbon young punch visual okay cactus random bird"
}
Saiki kita duwe dompet digawe.
wallet@electrum:/ % electrum-3.6 listaddresses
[
"18WEhbjvMLGRMfwudzUrUd25U5C7uZYkzE",
"14XHSejhxsZNDRtk4eFbqAX3L8rftzwQQU",
"1KQXaN8RXiCN1ne9iYngUWAr6KJ6d4pPas",
...
"1KeVcAwEYhk29qEyAfPwcBgF5mMMoy4qjw",
"18VaUuSeBr6T2GwpSHYF3XyNgLyLCt1SWk"
]
wallet@electrum:/ % electrum-3.6 help
Kanggo kita ing-chain Mung sawetara wong sing bisa nyambung menyang dompet wiwit saiki. Supaya ora mbukak akses menyang sel iki saka njaba, sambungan liwat SSH bakal kedadeyan liwat TOP (versi desentralisasi VPN). Kita miwiti SSH ing sel, nanging aja ndemek pf.conf ing host.
electrum:/@[9:00] # sysrc sshd_enable=YES
electrum:/@[9:00] # service sshd start
Saiki ayo mateni sel kanthi akses Internet dompet. Ayo menehi alamat IP saka papan subnet liyane sing ora NATed. Pisanan ayo padha ganti /etc/pf.conf
ing tuan rumah
# ee /etc/pf.conf
JAIL_IP_POOL="192.168.0.0/24"
ayo diganti dadi JAIL_IP_POOL="192.168.0.0/25"
, saéngga kabeh alamat 192.168.0.126-255 ora bakal duwe akses langsung menyang Internet. A jinis piranti lunak "air-gap" jaringan. Lan aturan NAT tetep kaya saiki
nat pass on $IF_PUBLIC from $JAIL_IP_POOL to any -> $IP_PUBLIC
Overloading aturan
# pfctl -f /etc/pf.conf
Saiki ayo njupuk sel kita
# cbsd jconfig jname=electrum
jset mode=quiet jname=electrum ip4_addr="192.168.0.200"
Remove old IP: /sbin/ifconfig em0 inet 192.168.0.6 -alias
Setup new IP: /sbin/ifconfig em0 inet 192.168.0.200 alias
ip4_addr: 192.168.0.200
Hmm, nanging saiki sistem kasebut bakal mandheg digunakake kanggo kita. Nanging, kita bisa nemtokake proxy sistem. Nanging ana siji bab, ing TOR iku proxy SOCKS5, lan kanggo penak kita uga pengin proxy HTTP.
# cbsd jsconstruct-tui
# cbsd jstart polipo
# jexec polipo
polipo:/@[9:28] # pkg install polipo
polipo:/@[9:28] # ee /usr/local/etc/polipo/config
socksParentProxy = "192.168.0.2:9050"
socksProxyType = socks5
polipo:/@[9:42] # sysrc polipo_enable=YES
polipo:/@[9:43] # service polipo start
Saiki, ana rong server proxy ing sistem kita, lan loro-lorone metu liwat TOR: socks5://192.168.0.2:9050 lan
Saiki kita bisa ngatur lingkungan dompet kita
# jexec electrum
electrum:/@[9:45] # su wallet
wallet@electrum:/ % ee ~/.cshrc
#in the end of file proxy config
setenv http_proxy http://192.168.0.6:8123
setenv https_proxy http://192.168.0.6:8123
Nah, saiki cangkang bakal bisa digunakake saka proxy. Yen kita pengin nginstal paket, kita kudu nambah /usr/local/etc/pkg.conf
saka ngisor oyod kandhang
pkg_env: {
http_proxy: "http://my_proxy_ip:8123",
}
Nah, saiki wektune nambahake layanan sing didhelikake TOR minangka alamat layanan SSH ing sel dompet.
# jexec tor
tor:/@[9:59] # ee /usr/local/etc/tor/torrc
HiddenServiceDir /var/db/tor/electrum/
HiddenServicePort 22 192.168.0.200:22
tor:/@[10:01] # mkdir /var/db/tor/electrum
tor:/@[10:01] # chown -R _tor:_tor /var/db/tor/electrum
tor:/@[10:01] # chmod 700 /var/db/tor/electrum
tor:/@[10:03] # service tor restart
tor:/@[10:04] # cat /var/db/tor/electrum/hostname
mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion
Iki alamat sambungan kita. Ayo mriksa saka mesin lokal. Nanging pisanan kita kudu nambah kunci SSH kita:
wallet@electrum:/ % mkdir ~/.ssh
wallet@electrum:/ % ee ~/.ssh/authorized_keys
ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAG9Fk2Lqi4GQ8EXZrsH3EgSrVIQPQaAlS38MmJLBabihv9KHIDGXH7r018hxqLNNGbaJWO/wrWk7sG4T0yLHAbdQAFsMYof9kjoyuG56z0XZ8qaD/X/AjrhLMsIoBbUNj0AzxjKNlPJL4NbHsFwbmxGulKS0PdAD5oLcTQi/VnNdU7iFw== user@local
Inggih, saka mesin klien Linux
user@local ~$ nano ~/.ssh/config
#remote electrum wallet
Host remotebtc
User wallet
Port 22
Hostname mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion
ProxyCommand /bin/ncat --proxy localhost:9050 --proxy-type socks5 %h %p
Ayo nyambung (Kanggo iki bisa digunakake, sampeyan butuh daemon TOR lokal sing ngrungokake 9050)
user@local ~$ ssh remotebtc
The authenticity of host 'mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is SHA256:iW8FKjhVF4yyOZB1z4sBkzyvCM+evQ9cCL/EuWm0Du4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion' (ECDSA) to the list of known hosts.
FreeBSD 12.1-RELEASE-p1 GENERIC
To save disk space in your home directory, compress files you rarely
use with "gzip filename".
-- Dru <[email protected]>
wallet@electrum:~ % logout
Sukses!
Kanggo nggarap pembayaran cepet lan mikro, kita uga butuh simpul c-lightning
dibutuhake kanggo fungsi bitcoind
nanging ya.
*Ana macem-macem implementasi protokol Lightning Network ing macem-macem basa. Saka sing dites, c-lightning (ditulis ing C) katon paling stabil lan efisien sumber daya.
# cbsd jsconstruct-tui
# cbsd jstart cln
# jexec cln
lightning:/@[10:23] # adduser
Username: lightning
...
lightning:/@[10:24] # pkg install git
lightning:/@[10:23] # su lightning
cd ~ && git clone https://github.com/ElementsProject/lightning
lightning@lightning:~ % exit
lightning:/@[10:30] # cd /home/lightning/lightning/
lightning:/home/lightning/lightning@[10:31] # pkg install autoconf automake gettext git gmp gmake libtool python python3 sqlite3 libsodium py36-mako bash bitcoin-utils
lightning:/home/lightning/lightning@[10:34] # ./configure && gmake && gmake install
Nalika kabeh sing perlu disusun lan diinstal, ayo nggawe pangguna RPC kanggo lightningd
в bitcoind
# jexec bitcoind
bitcoind:/@[10:36] # ee /usr/local/etc/bitcoin.conf
rpcbind=192.168.0.1
rpcuser=test
rpcpassword=test
#allow only c-lightning
rpcallowip=192.168.0.7/32
bitcoind:/@[10:39] # service bitcoind restart
Ngoper saya semrawut antarane sel dadi ora dadi semrawut yen sampeyan nyathet sarana tmux
, sing ngidini sampeyan nggawe sawetara sub-sesi terminal ing siji sesi. Analog: screen
Dadi, kita ora pengin mbukak IP nyata saka simpul kita, lan kita pengin nindakake kabeh transaksi finansial liwat TOP. Mulane, .bawang liyane ora perlu.
# jexec tor
tor:/@[9:59] # ee /usr/local/etc/tor/torrc
HiddenServiceDir /var/db/tor/cln/
HiddenServicePort 9735 192.168.0.7:9735
tor:/@[10:01] # mkdir /var/db/tor/cln
tor:/@[10:01] # chown -R _tor:_tor /var/db/tor/cln
tor:/@[10:01] # chmod 700 /var/db/tor/cln
tor:/@[10:03] # service tor restart
tor:/@[10:04] # cat /var/db/tor/cln/hostname
en5wbkavnytti334jc5uzaudkansypfs6aguv6kech4hbzpcz2ove3yd.onion
Saiki ayo nggawe konfigurasi kanggo c-lightning
lightning:/home/lightning/lightning@[10:31] # su lightning
lightning@lightning:~ % mkdir .lightning
lightning@lightning:~ % ee .lightning/config
alias=My-LN-Node
bind-addr=192.168.0.7:9735
rgb=ff0000
announce-addr=en5wbkavnytti334jc5uzaudkansypfs6aguv6kech4hbzpcz2ove3yd.onion:9735
network=bitcoin
log-level=info
fee-base=0
fee-per-satoshi=1
proxy=192.168.0.2:9050
log-file=/home/lightning/.lightning/c-lightning.log
min-capacity-sat=200000
# sparko plugin
# https://github.com/fiatjaf/lightningd-gjson-rpc/tree/master/cmd/sparko
sparko-host=192.168.0.7
sparko-port=9737
sparko-tls-path=sparko-tls
#sparko-login=mywalletusername:mywalletpassword
#sparko-keys=masterkey;secretread:+listchannels,+listnodes;secretwrite:+invoice,+listinvoices,+delinvoice,+decodepay,+waitpay,+waitinvoice
sparko-keys=masterkey;secretread:+listchannels,+listnodes;ultrawrite:+invoice,+listinvoices,+delinvoice,+decodepay,+waitpay,+waitinvoice
# for the example above the initialization logs (mixed with lightningd logs) should print something like
lightning@lightning:~ % mkdir .lightning/plugins
lightning@lightning:~ % cd .lightning/plugins/
lightning@lightning:~/.lightning/plugins:% fetch https://github.com/fiatjaf/sparko/releases/download/v0.2.1/sparko_full_freebsd_amd64
lightning@lightning:~/.lightning/plugins % mkdir ~/.lightning/sparko-tls
lightning@lightning:~/.lightning/sparko-tls % cd ~/.lightning/sparko-tls
lightning@lightning:~/.lightning/sparko-tls % openssl genrsa -out key.pem 2048
lightning@lightning:~/.lightning/sparko-tls % openssl req -new -x509 -sha256 -key key.pem -out cert.pem -days 3650
lightning@lightning:~/.lightning/plugins % chmod +x sparko_full_freebsd_amd64
lightning@lightning:~/.lightning/plugins % mv sparko_full_freebsd_amd64 sparko
lightning@lightning:~/.lightning/plugins % cd ~
sampeyan uga kudu nggawe file konfigurasi kanggo bitcoin-cli, sarana sing komunikasi karo bitcoind
lightning@lightning:~ % mkdir .bitcoin
lightning@lightning:~ % ee .bitcoin/bitcoin.conf
rpcconnect=192.168.0.1
rpcuser=test
rpcpassword=test
mriksa
lightning@lightning:~ % bitcoin-cli echo "test"
[
"test"
]
miwiti lightningd
lightning@lightning:~ % lightningd --daemon
Dheweke dhewe lightningd
sampeyan bisa ngontrol sarana lightning-cli
, contone:
lightning-cli newaddr
njaluk alamat kanggo pembayaran mlebu anyar
{
"address": "bc1q2n2ffq3lplhme8jufcxahfrnfhruwjgx3c78pv",
"bech32": "bc1q2n2ffq3lplhme8jufcxahfrnfhruwjgx3c78pv"
}
lightning-cli withdraw bc1jufcxahfrnfhruwjgx3cq2n2ffq3lplhme878pv all
ngirim kabeh dhuwit ing dompet menyang alamat (kabeh alamat on-chain)
Uga printah kanggo operasi off-chain lightning-cli invoice
, lightning-cli listinvoices
, lightning-cli pay
lsp.
Nah, kanggo komunikasi karo aplikasi kita duwe REST Api
curl -k https://192.168.0.7:9737/rpc -d '{"method": "pay", "params": ["lnbc..."]}' -H 'X-Access masterkey'
Ayo sumurake asil
# jls
JID IP Address Hostname Path
1 192.168.0.1 bitcoind.space.com /zroot/jails/jails/bitcoind
2 192.168.0.2 tor.space.com /zroot/jails/jails/tor
3 192.168.0.3 nginx-rev.space.com /zroot/jails/jails/nginx-rev
4 192.168.0.4 paygw.space.com /zroot/jails/jails/paygw
5 192.168.0.5 webapp.my.domain /zroot/jails/jails/webapp
7 192.168.0.200 electrum.space.com /zroot/jails/jails/electrum
8 192.168.0.6 polipo.space.com /zroot/jails/jails/polipo
9 192.168.0.7 lightning.space.com /zroot/jails/jails/cln
Kita duwe set kontaner, saben duwe tingkat akses dhewe saka lan menyang jaringan lokal.
# zfs list
NAME USED AVAIL REFER MOUNTPOINT
zroot 279G 1.48T 88K /zroot
zroot/ROOT 1.89G 1.48T 88K none
zroot/ROOT/default 1.89G 17.6G 1.89G /
zroot/home 88K 1.48T 88K /home
zroot/jails 277G 1.48T 404M /zroot/jails
zroot/jails/bitcoind 190G 1.48T 190G /zroot/jails/jails-data/bitcoind-data
zroot/jails/cln 653M 1.48T 653M /zroot/jails/jails-data/cln-data
zroot/jails/electrum 703M 1.48T 703M /zroot/jails/jails-data/electrum-data
zroot/jails/nginx-rev 190M 1.48T 190M /zroot/jails/jails-data/nginx-rev-data
zroot/jails/paygw 82.4G 1.48T 82.4G /zroot/jails/jails-data/paygw-data
zroot/jails/polipo 57.6M 1.48T 57.6M /zroot/jails/jails-data/polipo-data
zroot/jails/tor 81.5M 1.48T 81.5M /zroot/jails/jails-data/tor-data
zroot/jails/webapp 360M 1.48T 360M /zroot/jails/jails-data/webapp-data
Nalika sampeyan bisa ndeleng, bitcoind njupuk kabeh 190 GB saka papan. Apa yen kita butuh simpul liyane kanggo nyoba? Iki ngendi ZFS teka ing Handy. Kanthi bantuan cbsd jclone old=bitcoind new=bitcoind-clone host_hostname=clonedbtc.space.com
sampeyan bisa nggawe gambar asli lan masang sel anyar menyang gambar asli iki. Sèl anyar bakal duwe ruang dhewe, nanging mung prabédan antarane negara saiki lan asli bakal dianggep ing sistem file (kita bakal nyimpen paling ora 190 GB).
Saben sel minangka set data ZFS dhewe, lan iki trep banget.
Iku uga worth kang lagi nyimak perlu kanggo remot ngawasi saka inang, kanggo tujuan iki kita duwe
B - safety
Babagan keamanan, ayo miwiti saka prinsip utama ing konteks infrastruktur:
Rahasia - Piranti standar sistem kaya UNIX njamin implementasine prinsip iki. Kita kanthi logis misahake akses menyang saben unsur logis sing kapisah saka sistem - sel. Akses diwenehake liwat otentikasi pangguna standar nggunakake kunci pribadi pangguna. Kabeh komunikasi antarane lan menyang sel pungkasan dumadi ing wangun ndhelik. Thanks kanggo enkripsi disk, kita ora perlu kuwatir babagan keamanan data nalika ngganti disk utawa pindhah menyang server liyane. Siji-sijine akses kritis yaiku akses menyang sistem inang, amarga akses kasebut umume nyedhiyakake akses menyang data ing njero wadhah.
Integritas "Implementasi prinsip iki dumadi ing sawetara tingkat sing beda. Sepisanan, iku penting kanggo Wigati sing ing cilik saka hardware server, memori ECC, ZFS wis "metu saka kothak" njupuk care saka integritas data ing tingkat bit informasi. Snapshots cepet ngidini sampeyan nggawe serep sawayah-wayah kanthi cepet. Piranti ekspor/impor sel sing trep nggawe replikasi sel gampang.
Kasedhiyan - Iki wis opsional. Gumantung ing derajat ketenaran lan kasunyatan sing duwe sengit. Ing conto kita, kita mesthekake yen dompet bisa diakses sacara eksklusif saka jaringan TOP. Yen perlu, sampeyan bisa mblokir kabeh sing ana ing firewall lan ngidini akses menyang server kanthi eksklusif liwat terowongan (TOR utawa VPN minangka masalah liyane). Mangkono, server bakal dipotong saka jagad njaba sabisane, lan mung kita dhewe sing bisa mengaruhi kasedhiyan.
Impossibility saka nolak - Lan iki gumantung ing operasi luwih lan selaras karo kawicaksanan bener kanggo hak pangguna, akses, etc. Nanging kanthi pendekatan sing bener, kabeh tumindak pangguna diaudit, lan amarga solusi kriptografi bisa dingerteni kanthi jelas sapa sing nindakake tumindak tartamtu lan kapan.
Mesthine, konfigurasi sing diterangake ora minangka conto mutlak babagan cara sing kudu ditindakake, nanging minangka salah sawijining conto babagan carane bisa, nalika nahan kemampuan skala lan kustomisasi sing fleksibel.
Kepiye babagan virtualisasi lengkap?
Babagan virtualisasi lengkap nggunakake cbsd sampeyan bisa bhyve
Sampeyan kudu ngaktifake sawetara opsi kernel.
# cat /etc/rc.conf
...
kld_list="vmm if_tap if_bridge nmdm"
...
# cat /boot/loader.conf
...
vmm_load="YES"
...
Dadi yen sampeyan dumadakan kudu miwiti docker, banjur instal sawetara debian lan pindhah!
Mekaten
Aku kira iku kabeh aku wanted kanggo nuduhake. Yen sampeyan seneng karo artikel kasebut, sampeyan bisa ngirim sawetara bitcoin -
Source: www.habr.com