这篇鸿篇巨制(多达上万字)不但剖析了在你被那些“免费”的服务供养的背后所损失的隐私。事实上,Google、百度、360们比你更了解你自己;而且提出了具体的解决方案,对于稍有技术基础的人来,完整地指导了如何搭建私有云,提供全功能、商业级的邮件服务和云服务。
此外,文章中的邮件系统部分相当完善,而且,文章的思路清晰,简明扼要。其中包括基础的 SMTP/IMAP 服务自不必提,反垃圾邮件服务、灰名单、SPF、DKIM、Webmail,应有尽有,可以作为搭建产品环境中的邮件系统参考。
8年里40000多次搜索!这是我的Google搜索历史。你的呢?(可以在这里自己找一下)有经过这么长时间积累下来的这么多数据点,Google已经能非常精确的推测你对什么感兴趣、曾经的想法、担忧过的事情,以及从你第一次获得Google帐号后这些年里所有这些的变化!
很多非常私人的信息不受自己控制地存储在世界范围内的服务器上
既然我们已经拥有了一流的邮件服务器,让我们再为它增加在云上保存通讯录,日程表和文件的能力。这些是Owncloud所提供的非常赞的服务。在这个弄好后,我们还会设置一个网页邮件,这样就算你没带任何电子设备出去旅行时,或者说在你的手机或笔记本没电的情况下,也可以通过网吧来检查邮件。
安装Owncloud非常直观,而且在这里有非常好的介绍。在Debian系统里,归根结底就是把owncloud的仓库添加到apt源里,下载Owncloud的发行密钥并安装到apt钥匙链中,然后通过apt-get安装Owncloud:
echo 'deb http://download.opensuse.org/repositories/isv:/ownCloud:/community/Debian_7.0/ /' >> /etc/apt/sources.list.d/owncloud.list
wget http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_6.0/Release.key
apt-key add - < Release.key
apt-get update
apt-get install apache2 owncloud roundcube
在有提示的时候,选择dbconfig并设置roundcube使用mysql。然后,提供一下mysql的root密码并为roundcube的mysql用户设置一个漂亮的密码。然后,按如下方式编辑roundcube的配置文件/etc/roundcube/main.inc.php,这样登录roundcube默认会使用你的IMAP服务器:
$rcmail_config['default_host'] = 'ssl://localhost';
$rcmail_config['default_port'] = 993;
现在我们来配置一下apache2网页服务器增加SSL支持,这样我们可以和Owncloud和Roundcube对话时使用加密的方式传输我们的密码和数据。让我们打开Apache的SSL模块:
a2enmod ssl
然后编辑文件/etc/apache2/ports.conf并设定以下参数:
NameVirtualHost *:80
Listen 80
ServerName [www.jhausse.net](http://www.jhausse.net)
<IfModule mod_ssl.c>
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to <VirtualHost *:443>
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
NameVirtualHost *:443
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
我们将在目录/var/www下为服务器加密连接https://www.jhausse.net设定一个默认网站。编辑文件/etc/apache2/sites-available/default-ssl:
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www
ServerName www.jhausse.net
[...]
<Directory /var/www/owncloud>
Deny from all
</Directory>
[...]
SSLCertificateFile /etc/ssl/certs/cloud.crt
SSLCertificateKeyFile /etc/ssl/private/cloud.key
[...]
</VirtualHost>
然后让我们同时也在目录/var/www下设定一个非加密连接http://www.jhausse.net的默认网站。编辑文件/etc/apache2/sites-available/default:
<VirtualHost _default_:443>
DocumentRoot /var/www
ServerName www.jhausse.net
[...]
<Directory /var/www/owncloud>
Deny from all
</Directory>
</VirtualHost>
这样的话,我们通过把文件放到/var/www目录下让www.jhausse.net使用它们提供网站服务。名叫’Deny from all’的指令可以阻止通过www.jhausse.net访问Owncloud:我们将设定通过https://cloud.jhausse.net来正常访问。
现在我们将设定网页邮件(roundcube),让它可以通过网址https://webmail.jhausse.net来访问。编辑文件/etc/apache2/sites-available/roundcube并写入以下内容:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/lib/roundcube
# The host name under which you'd like to access the webmail
ServerName webmail.jhausse.net
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# do not allow unsecured connections
# SSLRequireSSL
SSLCipherSuite HIGH:MEDIUM
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/ssl/certs/cloud.crt
SSLCertificateKeyFile /etc/ssl/private/cloud.key
# Those aliases do not work properly with several hosts on your apache server
# Uncomment them to use it or adapt them to your configuration
Alias /program/js/tiny_mce/ /usr/share/tinymce/www/
# Access to tinymce files
<Directory "/usr/share/tinymce/www/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
allow from all
</Directory>
<Directory /var/lib/roundcube/>
Options +FollowSymLinks
# This is needed to parse /var/lib/roundcube/.htaccess. See its
# content before setting AllowOverride to None.
AllowOverride All
order allow,deny
allow from all
</Directory>
# Protecting basic directories:
<Directory /var/lib/roundcube/config>
Options -FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/lib/roundcube/temp>
Options -FollowSymLinks
AllowOverride None
Order allow,deny
Deny from all
</Directory>
<Directory /var/lib/roundcube/logs>
Options -FollowSymLinks
AllowOverride None
Order allow,deny
Deny from all
</Directory>
<FilesMatch ".(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
BrowserMatch "MSIE [2-6]"
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
然后在你的DNS服务商那里声明一下服务器,例如:
webmail.jhausse.net. 300 IN CNAME cloud.jhausse.net.
现在让我激活这三个网站:
a2ensite default default-ssl roundcube
service apache2 restart
关于网页邮件,可以通过网址https://webmail.jhausse.net来访问,基本上能工作。之后使用邮箱全名(例如roudy@jhausse.net)和在本文一开始在邮件服务器数据库里设定的密码登录。第一次连接成功,浏览器会警告说证书没有可靠机构的签名。这个没什么关系,只要添加一个例外即可。
最后但很重要的是,我们将通过把以下内容写入到/etc/apache2/sites-available/owncloud来为Owncloud创建一个虚拟主机。
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/owncloud
ServerName cloud.jhausse.net
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/owncloud>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# do not allow unsecured connections
# SSLRequireSSL
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/ssl/certs/cloud.crt
SSLCertificateKeyFile /etc/ssl/private/cloud.key
<FilesMatch ".(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]"
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
然后通过执行以下命令激活Owncloud:
a2ensite owncloud
service apache2 reload
之后通过在浏览器里打开链接https://cloud.jhausse.net/配置一下Owncloud。
就这些了!现在你已经拥有自己的Google Drive,日程表,联系人,Dropbox,以及Gmail!好好享受下新鲜恢复保护的隐私吧!:-)
在云上同步你的设备
via: https://www.howtoforge.com/tutorial/build-your-own-cloud-on-debian-wheezy/
作者:Roudy Jhausse 译者:zpl1025 校对:wxy
发表回复