中

AO.space Platform Deployment Guide

Brief Introduction

AO.space Platform provides personal devices with transparent communication channel services and secure protection for Internet access. AO.space platform can also be privately deployed. Differing from other solutions, personal account authentication and authorization in AO.space are managed solely by the server running on the personal device. The AO.space platform cannot manage or parse any personal data, and personal account authentication and authorization in AO.space are managed solely by the server-side running on the personal device, ensuring complete control of user data in personal devices.

Component Overview

Service components	Purpose	Installation method	Operation mode	Network port
docker	Container runtime	rpm/deb	systemd	-
platform-mysql	Relational database	docker-compose	container	-
platform-redis	Non-relational databases	docker-compose	container	-
platform-proxy	Network rule broker service	docker-compose	container	127.0.0.1:61011/tcp
gt-server	Network tunnel service	docker-compose	container	127.0.0.1:61012/tcp, 0.0.0.0:61012/udp
platform-base	Platform services	docker-compose	container	127.0.0.1:61013/tcp
platform-nginx	Routing service	docker-compose	container	0.0.0.0:80/tcp, 0.0.0.0:443/tcp

Configuration Requirements

Resource provisioning：
- CPU: 4C
- RAM: 8G
- Storage: 120G
Operating system：
- Supports x86_64 or aarch64 architecture Linux operating systems for docker.
- It is recommended to use Fedora, CentOS, Redhat, Debian, Ubuntu, openEuler, EulixOS and other operating systems with Kernel greater than 4.19.

Preparation

Domain name: A domain name with DNS record setting permissions.
SSL certificate: A wilddomain certificate (domain, *.domain, *.res.domain, *.upload.domain, *.download.domain, *.push.domain, *.platform.domain and other 7 CN certificates).
Public IP: Server has public IP or supports server public mapping (80/tcp, 443/tcp, 61012/tcp, 61012/udp)
Server: The newly installed Linux operating system server can use cloud host, physical machine, virtual machine.

Service Deployment

The full text takes /opt/aoplatform/ as an example of service deployment directory, eulix.cn as an example of domain name, and1.2.3.4as an example of public IP.

Use Git download service to deploy the repository, after installation, the data will persist to the repository directory (./data), please choose the appropriate location to download.

bash

yum install git -y || (apt update && apt install git -y) # install Git。
git clone -b dev https://github.com/ao-space/platform-deploy.git /opt/aoplatform/ # Download the service deployment warehouse to /opt/aoplatform/ , and other directories can also be replaced.

Container Runtime Installation

For example, the operating system is Fedora, CentOS, Redhat, Debian, Ubuntu and other operating systems:

bash

curl -sSL https://get.docker.com | sh

For example, the operating system is openEuler, EulixOS, EulerOS, OpenAnolis, AliyunLinux, AnolisOS and other operating systems:

bash

dnf install docker -y

After waiting for docker to be installed, set up docker boot and start docker:

bash

systemctl enable --now docker

Configuring DNS Resolution

Log into your domain name DNS resolution console or domain host, and add the following DNS records to your DNS information (for example, if your public IP is 1.2.3.4, replace 1.2.3.4 with your public IP).

For the Web console:

Entry 1:
- Host record: @ (some resolution service providers can not enter @ to blank the host record)
- Record type: A
- Record value: 1.2.3.4
- TTL: 600 or default
Entry 2:
- Host record: *
- Record type: A
- Record value: 1.2.3.4
- TTL: 600 or default

For a zone host:

; AO.space Platform region file for the service - append the following data to the region file
@ 600 IN A 1.2.3.4
* 600 IN A 1.2.3.4

Obtain the Wilddomain Certificate（If you already have a wilddomain certificate, you can skip it）

You can use an existing wildcard certificate to deploy this service, or you can obtain an open source wildcard certificate (which is valid for 90 days) based on the guidelines below.

Use Certbot or acme.sh to obtain an open source wildcard certificate. In this step, we will get a wilddomain certificate from letsencrypt.org or zerossl.com.

bash

cd /opt/aoplatform/
docker run --rm -v $PWD/data/acme.sh/:/acme.sh/ neilpang/acme.sh --register-account -m service@ao.space # Create an acme client token , use your email address after -m, to receive SSL expiration notices, and apply for an SSL certificate valid for three months (90 days).

bash

cd /opt/aoplatform/
docker run --rm -v $PWD/data/acme.sh/:/acme.sh/ neilpang/acme.sh --issue --dns -d eulix.cn -d *.eulix.cn -d *.res.eulix.cn -d *.upload.eulix.cn -d *.download.eulix.cn -d *.push.eulix.cn -d *.platform.eulix.cn --yes-I-know-dns-manual-mode-enough-go-ahead-please -k 2048 # Create an ssl certificate in dns mode

# Produces the following log

[Sun Jan  1 21:56:59 UTC 2023] Using CA: https://acme.zerossl.com/v2/DV90
[Sun Jan  1 21:56:59 UTC 2023] Multi domain='DNS:eulix.cn,DNS:*.eulix.cn,DNS:*.res.eulix.cn,DNS:*.upload.eulix.cn,DNS:*.download.eulix.cn,DNS:*.push.eulix.cn,DNS:*.platform.eulix.cn'
[Sun Jan  1 21:56:59 UTC 2023] Getting domain auth token for each domain
[Sun Jan  1 21:57:34 UTC 2023] Getting webroot for domain='eulix.cn'
[Sun Jan  1 21:57:34 UTC 2023] Getting webroot for domain='*.eulix.cn'
[Sun Jan  1 21:57:34 UTC 2023] Getting webroot for domain='*.res.eulix.cn'
[Sun Jan  1 21:57:34 UTC 2023] Getting webroot for domain='*.upload.eulix.cn'
[Sun Jan  1 21:57:34 UTC 2023] Getting webroot for domain='*.download.eulix.cn'
[Sun Jan  1 21:57:34 UTC 2023] Getting webroot for domain='*.push.eulix.cn'
[Sun Jan  1 21:57:34 UTC 2023] Getting webroot for domain='*.platform.eulix.cn'
[Sun Jan  1 21:57:34 UTC 2023] Add the following TXT record:
[Sun Jan  1 21:57:34 UTC 2023] Domain: '_acme-challenge.eulix.cn'
[Sun Jan  1 21:57:34 UTC 2023] TXT value: '0928VkpG6oOOTMO9C1tEHsonsNXM76SQBb1BGmxdGfk'
[Sun Jan  1 21:57:34 UTC 2023] Please be aware that you prepend _acme-challenge. before your domain
[Sun Jan  1 21:57:34 UTC 2023] so the resulting subdomain will be: _acme-challenge.eulix.cn
[Sun Jan  1 21:57:34 UTC 2023] Add the following TXT record:
[Sun Jan  1 21:57:34 UTC 2023] Domain: '_acme-challenge.eulix.cn'
[Sun Jan  1 21:57:34 UTC 2023] TXT value: 'ttOvwy670kbAF34fg4XJsfut4lJjG8Ay_Pd4nFXzAs0'
[Sun Jan  1 21:57:34 UTC 2023] Please be aware that you prepend _acme-challenge. before your domain
[Sun Jan  1 21:57:34 UTC 2023] so the resulting subdomain will be: _acme-challenge.eulix.cn
[Sun Jan  1 21:57:34 UTC 2023] Add the following TXT record:
[Sun Jan  1 21:57:34 UTC 2023] Domain: '_acme-challenge.res.eulix.cn'
[Sun Jan  1 21:57:34 UTC 2023] TXT value: 'ezyDktWatt4SHINHjVGCyItLCXM3yW05CzBexr9pHc8'
[Sun Jan  1 21:57:34 UTC 2023] Please be aware that you prepend _acme-challenge. before your domain
[Sun Jan  1 21:57:34 UTC 2023] so the resulting subdomain will be: _acme-challenge.res.eulix.cn
[Sun Jan  1 21:57:34 UTC 2023] Add the following TXT record:
[Sun Jan  1 21:57:34 UTC 2023] Domain: '_acme-challenge.upload.eulix.cn'
[Sun Jan  1 21:57:34 UTC 2023] TXT value: 'EZWX0Gzng7J1blFWgEjrfIe3elL_-ms6EsB3z2XiQFE'
[Sun Jan  1 21:57:34 UTC 2023] Please be aware that you prepend _acme-challenge. before your domain
[Sun Jan  1 21:57:34 UTC 2023] so the resulting subdomain will be: _acme-challenge.upload.eulix.cn
[Sun Jan  1 21:57:34 UTC 2023] Add the following TXT record:
[Sun Jan  1 21:57:34 UTC 2023] Domain: '_acme-challenge.download.eulix.cn'
[Sun Jan  1 21:57:34 UTC 2023] TXT value: '0mjodbxuUfbJC3ZDWVpDRu1_j791RalMI08uSmRAe0Y'
[Sun Jan  1 21:57:34 UTC 2023] Please be aware that you prepend _acme-challenge. before your domain
[Sun Jan  1 21:57:34 UTC 2023] so the resulting subdomain will be: _acme-challenge.download.eulix.cn
[Sun Jan  1 21:57:34 UTC 2023] Add the following TXT record:
[Sun Jan  1 21:57:34 UTC 2023] Domain: '_acme-challenge.push.eulix.cn'
[Sun Jan  1 21:57:34 UTC 2023] TXT value: 'buFAZofgN18n7uF1CsCRVp9_idDOkN5T-As_vQQnCoU'
[Sun Jan  1 21:57:34 UTC 2023] Please be aware that you prepend _acme-challenge. before your domain
[Sun Jan  1 21:57:34 UTC 2023] so the resulting subdomain will be: _acme-challenge.push.eulix.cn
[Sun Jan  1 21:57:34 UTC 2023] Add the following TXT record:
[Sun Jan  1 21:57:34 UTC 2023] Domain: '_acme-challenge.platform.eulix.cn'
[Sun Jan  1 21:57:34 UTC 2023] TXT value: 'PYfzV4yTP-R1P-7YiLc-ciwRspR4E3LDh4NYDa_AlCk'
[Sun Jan  1 21:57:34 UTC 2023] Please be aware that you prepend _acme-challenge. before your domain
[Sun Jan  1 21:57:34 UTC 2023] so the resulting subdomain will be: _acme-challenge.platform.eulix.cn
[Sun Jan  1 21:57:34 UTC 2023] Please add the TXT records to the domains, and re-run with --renew.
[Sun Jan  1 21:57:34 UTC 2023] Please add '--debug' or '--log' to check more details.
[Sun Jan  1 21:57:34 UTC 2023] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

Add the above seven TXT records to the DNS record.

For the Web console:

Entry 1:
- Host record：_acme-challenge
- Record type：TXT
- Record values (add as needed)：0928VkpG6oOOTMO9C1tEHsonsNXM76SQBb1BGmxdGfk
- TTL：600 or the default
Entry 2:
- Host record：_acme-challenge
- Record type：TXT
- Record values (add as needed)：ttOvwy670kbAF34fg4XJsfut4lJjG8Ay_Pd4nFXzAs0
- TTL：600 or the default
Entry 3:
- Host record：_acme-challenge.res
- Record type：TXT
- Record values (add as needed)：ezyDktWatt4SHINHjVGCyItLCXM3yW05CzBexr9pHc8
- TTL：600 or the default
Entry 4:
- Host record：_acme-challenge.update
- Record type：TXT
- Record values (add as needed)：EZWX0Gzng7J1blFWgEjrfIe3elL_-ms6EsB3z2XiQFE
- TTL：600 or the default
Entry 5:
- Host record：_acme-challenge.download
- Record type：TXT
- Record values (add as needed)：0mjodbxuUfbJC3ZDWVpDRu1_j791RalMI08uSmRAe0Y
- TTL：600 or the default
Entry 6:
- Host record：_acme-challenge.push
- Record type：TXT
- Record values (add as needed)：buFAZofgN18n7uF1CsCRVp9_idDOkN5T-As_vQQnCoU
- TTL：600 or the default
Entry 7:
- Host record：_acme-challenge.platform
- Record type：TXT
- Record values (add as needed)：PYfzV4yTP-R1P-7YiLc-ciwRspR4E3LDh4NYDa_AlCk
- TTL：600 or the default

For a zone host:

AO.space Platform region file for the service - append the following data to the region file
_acme-challenge          600 IN TXT "0928VkpG6oOOTMO9C1tEHsonsNXM76SQBb1BGmxdGfk"
_acme-challenge          600 IN TXT "ttOvwy670kbAF34fg4XJsfut4lJjG8Ay_Pd4nFXzAs0"
_acme-challenge.res      600 IN TXT "ezyDktWatt4SHINHjVGCyItLCXM3yW05CzBexr9pHc8"
_acme-challenge.update   600 IN TXT "EZWX0Gzng7J1blFWgEjrfIe3elL_-ms6EsB3z2XiQFE"
_acme-challenge.download 600 IN TXT "0mjodbxuUfbJC3ZDWVpDRu1_j791RalMI08uSmRAe0Y"
_acme-challenge.push     600 IN TXT "buFAZofgN18n7uF1CsCRVp9_idDOkN5T-As_vQQnCoU"
_acme-challenge.platform 600 IN TXT "PYfzV4yTP-R1P-7YiLc-ciwRspR4E3LDh4NYDa_AlCk"

Get the certificate after the TXT record is added:

cd /opt/aoplatform/
docker run --rm -v $PWD/data/acme.sh/:/acme.sh/ neilpang/acme.sh --renew --dns -d eulix.cn -d *.eulix.cn -d *.res.eulix.cn -d *.upload.eulix.cn -d *.download.eulix.cn -d *.push.eulix.cn -d *.platform.eulix.cn --yes-I-know-dns-manual-mode-enough-go-ahead-please -k 2048 # 与获取 TXT 记录不同之处为使用 --renew 

# Produces the following log:

[Sun Jan  1 22:02:20 UTC 2023] Renew: 'eulix.cn'
[Sun Jan  1 22:02:20 UTC 2023] Renew to Le_API=https://acme.zerossl.com/v2/DV90
[Sun Jan  1 22:02:21 UTC 2023] Using CA: https://acme.zerossl.com/v2/DV90
[Sun Jan  1 22:02:21 UTC 2023] Multi domain='DNS:eulix.cn,DNS:*.eulix.cn,DNS:*.res.eulix.cn,DNS:*.upload.eulix.cn,DNS:*.download.eulix.cn,DNS:*.push.eulix.cn,DNS:*.platform.eulix.cn'
[Sun Jan  1 22:02:21 UTC 2023] Getting domain auth token for each domain
[Sun Jan  1 22:02:21 UTC 2023] Verifying: eulix.cn
[Sun Jan  1 22:02:30 UTC 2023] Processing, The CA is processing your order, please just wait. (1/30)
[Sun Jan  1 22:02:36 UTC 2023] Success
[Sun Jan  1 22:02:36 UTC 2023] Verifying: *.eulix.cn
[Sun Jan  1 22:02:39 UTC 2023] Processing, The CA is processing your order, please just wait. (1/30)
[Sun Jan  1 22:02:44 UTC 2023] Success
[Sun Jan  1 22:02:44 UTC 2023] Verifying: *.res.eulix.cn
[Sun Jan  1 22:02:47 UTC 2023] Processing, The CA is processing your order, please just wait. (1/30)
[Sun Jan  1 22:02:52 UTC 2023] Success
[Sun Jan  1 22:02:52 UTC 2023] Verifying: *.upload.eulix.cn
[Sun Jan  1 22:02:56 UTC 2023] Processing, The CA is processing your order, please just wait. (1/30)
[Sun Jan  1 22:03:01 UTC 2023] Success
[Sun Jan  1 22:03:01 UTC 2023] Verifying: *.download.eulix.cn
[Sun Jan  1 22:03:04 UTC 2023] Processing, The CA is processing your order, please just wait. (1/30)
[Sun Jan  1 22:03:08 UTC 2023] Success
[Sun Jan  1 22:03:08 UTC 2023] Verifying: *.push.eulix.cn
[Sun Jan  1 22:03:11 UTC 2023] Processing, The CA is processing your order, please just wait. (1/30)
[Sun Jan  1 22:03:16 UTC 2023] Success
[Sun Jan  1 22:03:16 UTC 2023] Verifying: *.platform.eulix.cn
[Sun Jan  1 22:03:19 UTC 2023] Processing, The CA is processing your order, please just wait. (1/30)
[Sun Jan  1 22:03:24 UTC 2023] Success
[Sun Jan  1 22:03:24 UTC 2023] Verify finished, start to sign.
[Sun Jan  1 22:03:24 UTC 2023] Lets finalize the order.
[Sun Jan  1 22:03:24 UTC 2023] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/XXX/finalize'
[Sun Jan  1 22:03:27 UTC 2023] Order status is processing, lets sleep and retry.
[Sun Jan  1 22:03:27 UTC 2023] Retry after: 15
[Sun Jan  1 22:03:42 UTC 2023] Polling order status: https://acme.zerossl.com/v2/DV90/order/XXX
[Sun Jan  1 22:03:47 UTC 2023] Downloading cert.
[Sun Jan  1 22:03:47 UTC 2023] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/XXX'
[Sun Jan  1 22:03:51 UTC 2023] Cert success.
-----BEGIN CERTIFICATE-----
XXXX
-----END CERTIFICATE-----
[Sun Jan  1 22:03:51 UTC 2023] Your cert is in: /acme.sh/eulix.cn/eulix.cn.cer
[Sun Jan  1 22:03:51 UTC 2023] Your cert key is in: /acme.sh/eulix.cn/eulix.cn.key
[Sun Jan  1 22:03:51 UTC 2023] The intermediate CA cert is in: /acme.sh/eulix.cn/ca.cer
[Sun Jan  1 22:03:51 UTC 2023] And the full chain certs is there: /acme.sh/eulix.cn/fullchain.cer

Certificate will be stored in a /opt/aoplatform/data/acme.sh/ folder directory domain, including fullchain. Cer for SSL certificates, the domain name. The key for the SSL private key.

Start Service

Domain name eulix.cn is used as an example
SSL certificate path to /opt/aoplatform/data/acme.sh/eulix.cn/fullchain.cer, for example
SSL private key path to /opt/aoplatform/data/acme.sh/eulix.cn/eulix.cn.key, for example

bash

cd /opt/aoplatform
./install.sh -d eulix.cn -c data/acme.sh/eulix.cn/fullchain.cer -k data/acme.sh/eulix.cn/eulix.cn.key

Service Configuration Description

Running ./install.sh will generate a random database password and a configuration file in a.env file.

Contact us

If you encounter difficulties in using it, you can check AO.space Help or Contact us.

Download

Document

Support

WeChat

AO.space Platform Deployment Guide #

Brief Introduction #

Component Overview #

Configuration Requirements #

Preparation #

Service Deployment #

Container Runtime Installation #

Configuring DNS Resolution #

Obtain the Wilddomain Certificate（If you already have a wilddomain certificate, you can skip it） #

Start Service #

Service Configuration Description #

Contact us #

AO.space Platform Deployment Guide

Brief Introduction

Component Overview

Configuration Requirements

Preparation

Service Deployment

Container Runtime Installation

Configuring DNS Resolution

Obtain the Wilddomain Certificate（If you already have a wilddomain certificate, you can skip it）

Start Service

Service Configuration Description

Contact us