OoklaServer基于TCP协议提供标准测速服务,可以安装在各种平台上。这里是安装在Ubuntu上。
1、下载安装脚本
可以用root用户安装,但为安全起见建议用非root用户安装。
wget https://install.speedtest.net/ooklaserver/ooklaserver.sh
2、安装守护进程
./ooklaserver.sh install
3、设置开机启动
sudo vim /etc/rc.local
#添加下面语句,这里的ooklauser要替换成你的用户名
su ooklauser -c './full_path_to_your_Ookla_Server_Daemon/OoklaServer --daemon'
如果是CentOS则是修改 /etc/rc.d/rc.local
4、启动和关闭服务
./ooklaserver.sh start
./ooklaserver.sh restart
./ooklaserver.sh stop
查看帮助请用
./ooklaserver.sh -h
5、测试服务是否启动
访问 https://www.ookla.com/host-tester 网站提交测试,注意要用域名加端口:8080,否则会出错。测试结果如果没问题的话都会是PASSED
屏幕快照 2019-02-25 16.12.11.png
6、安装HTTPS/TLS支持
OoklaServer 2.6提供自动安装方案,如果服务器能够访问http://host-api.speedtest.net, 则可根据提示一步步安装。
第二种方式是手动安装,推荐使用免费ca工具 https://certbot.eff.org/。 网站会让你选择操作系统和版本,生成命令集。我的服务器是Ubuntu16.04,生成的命令如下:
$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository universe
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot python-certbot-apache
装完之后,运行下面命令生成证书
$ sudo certbot --apache
证书有效期90天,但可以免费无限续杯……
sudo certbot renew --dry-run
可以看到生成了几个文件:cert.pem, chain.pem, fullchain.pem, key.pem。 然后要在Ookla配置文件里指定证书文件。
这里遇到一个坑,说明文档里是这么说的:
Edit your OoklaServer.properties file to include the following uncommented lines:
openSSL.server.certificateFile = /home/ookla/cert.pem
openSSL.server.privateKeyFile = /home/ookla/key.pem
实际上照做之后检查https的状态是failed, 查了半天log文档,最后发现pem文件必须包含整个chain (full trust chain back to the issuing Certificate Authority)。
修改配置文件,把cert.pem改成fullchain.pem就好了。
#
# SSL Options
#
# To enable SSL, create a certificate and private key and set the path to them here:
openSSL.server.certificateFile = /root/ookla/fullchain.pem
openSSL.server.privateKeyFile = /root/ookla/key.pem
########
三个月过去了,需要更新证书了,但使用certbot renew 提示证书未过期(其实过期了),直接重新安装证书。
root@hs01:~# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: sp01.ld8.lon.eng.communityfibre.co.uk
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/sp01.ld8.lon.eng.communityfibre.co.uk.conf)
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for sp01.ld8.lon.eng.communityfibre.co.uk
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Your existing certificate has been successfully renewed, and the new certificate
has been installed.
The new certificate covers the following domains:
https://sp01.ld8.lon.eng.communityfibre.co.uk
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=sp01.ld8.lon.eng.communityfibre.co.uk
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/sp01.ld8.lon.eng.communityfibre.co.uk/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/sp01.ld8.lon.eng.communityfibre.co.uk/privkey.pem
Your cert will expire on 2019-08-21. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
证书位置在/root/ookla/目录下,把更新的证书拷过去,重启Ookla服务即可
root@hs01:/root/ookla# cp /etc/letsencrypt/live/sp01.ld8.lon.eng.communityfibre.co.uk/fullchain.pem fullchain.pem
root@hs01:/root/ookla# cp /etc/letsencrypt/live/sp01.ld8.lon.eng.communityfibre.co.uk/privkey.pem key.pem
root@hs01:/root/ookla# ./ooklaserver.sh restart
Stopping OoklaServer Daemon (126148) . . . . . . . . . . . . . . . . . . . .
Additional OoklaServer processes running; stopping
Stopping OoklaServer Daemon (126148) . . . . . . . . . . . . . . . . . . . .
Stopping OoklaServer Daemon (126152) .
Stopping OoklaServer Daemon (126158) . . . . . . . . . . . . .
Stopping OoklaServer Daemon (126586) .
Stopping OoklaServer Daemon (126587)
Lingering OoklaServer processes running; killing (126148
126649
126650
126667)
Starting OoklaServer
Daemon Started (126719)
然后到https://www.ookla.com/host-tester 进行测试,全部pass。搞定收工。