awin/Obsidian-Main
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

init

Browse Source
This commit is contained in:
Awin Huang
2022-06-02 17:55:14 +08:00
commit f86dc56286
598 changed files with 87559 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

190
02. PARA/03. Resources(資源)/01. 架站/01. Nginx Layer4 Reverse Proxy.md Normal file
View File

@@ -0,0 +1,190 @@
## docker-compose.yml
```yaml
version: '3'
services:
nginx_reverseproxy_l4:
container_name: nginx
restart: always
image: nginx
ports:
- "80:80"
- "443:443"
volumes:
- ./data:/etc/nginx
```
## 準備
目錄架構如下:
```
.
├── data
│   ├── mime.types
│   └── nginx.conf
└── docker-compose.yaml
```
### nginx.conf
其中`nginx.conf`的內容如下:
```
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
stream {
map $ssl_preread_server_name $backend_name {
tjn.awin.one trojan;
storj.awin.one swag;
blog.awin.one swag;
gitea.awin.one swag;
}
# trojan
upstream trojan {
server 192.168.1.31:443;
}
# swag
upstream swag {
server 192.168.1.20:44320;
}
# 监听 443 并开启 ssl_preread
server {
listen 80 reuseport;
listen 443 reuseport;
listen [::]:443 reuseport;
proxy_pass $backend_name;
ssl_preread on;
}
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
```
### mime.types
其中`mime.types`的內容如下:
```
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
```

247
02. PARA/03. Resources(資源)/01. 架站/02. SWAG Reverse proxy.md Normal file
View File

@@ -0,0 +1,247 @@
[SWAG](https://docs.linuxserver.io/general/swag)可以幫我們反向代理並且有https。是由linuxserver.io包裝的Nginx webserver和reverse proxy的container。
#### 建立docker-compose
1. 建立folder
```bash
mkdir -p ~/dockers/linuxserverswag ; cd ~/dockers/linuxserverswag
```
2. 建立`docker-compose.yaml`
```
vim docker-compose.yaml
```
填入內容如下:
```yaml
version: "2.1"
services:
swag:
image: ghcr.io/linuxserver/swag
container_name: swag
cap_add:
- NET_ADMIN
environment:
- PUID=1000
- PGID=1000
- TZ=Asia/Taipei
- URL=awin.one
- SUBDOMAINS=wildcard
- VALIDATION=dns
- CERTPROVIDER= #optional
- DNSPLUGIN=cloudflare #optional
- PROPAGATION= #optional
- DUCKDNSTOKEN= #optional
- EMAIL=awinhuang@gmail.com
- ONLY_SUBDOMAINS=false #optional
- EXTRA_DOMAINS= #optional
- STAGING=false #optional
- MAXMINDDB_LICENSE_KEY= #optional
volumes:
- ./config:/config
ports:
- 44320:443
- 8020:80 #optional
restart: unless-stopped
```
3. 先跑一次:
```bash
sudo docker-compose up
```
會發現有錯誤,這是正常的,錯誤訊息像這樣:
```
swag | Unsafe permissions on credentials configuration file: /config/dns-conf/cloudflare.ini
swag | Cleaning up challenges
swag | Error determining zone_id: 9103 Unknown X-Auth-Key or X-Auth-Email. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter the correct email address and Global key?)
swag | ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.
```
按`ctrl + c`退出。這時候`config`目錄也會有swag所mapping出來的相關檔案。修改`config/dns-conf/cloudflare.ini`
```bash
vim config/dns-conf/cloudflare.ini
```
把`config/dns-conf/cloudflare.ini`改為:
```
# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-cloudflare/certbot_dns_cloudflare/__init__.py#L20
# Replace with your values
With global api key:
dns_cloudflare_email = awinhuang@gmail.com
dns_cloudflare_api_key = <YOUR_API_KEY_FROM_CLOUDFLARE>
# With token (comment out both lines above and uncomment below):
#dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567
```
4. 再跑一次:
```bash
sudo docker-compose up
```
這一次就可以順利取得認證了,訊息像這樣:
```
swag | IMPORTANT NOTES:
swag | - Congratulations! Your certificate and chain have been saved at:
swag | /etc/letsencrypt/live/awin.one/fullchain.pem
swag | Your key file has been saved at:
swag | /etc/letsencrypt/live/awin.one/privkey.pem
swag | Your certificate will expire on 2021-04-26. To obtain a new or
swag | tweaked version of this certificate in the future, simply run
swag | certbot again. To non-interactively renew *all* of your
swag | certificates, run "certbot renew"
swag | - If you like Certbot, please consider supporting our work by:
swag |
swag | Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
swag | Donating to EFF: https://eff.org/donate-le
swag |
swag | New certificate generated; starting nginx
swag | Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,
swag | and add a new env variable "MAXMINDDB_LICENSE_KEY", set to your license key.
swag | [cont-init.d] 50-config: exited 0.
swag | [cont-init.d] 60-renew: executing...
swag | The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
swag | [cont-init.d] 60-renew: exited 0.
swag | [cont-init.d] 70-templates: executing...
swag | [cont-init.d] 70-templates: exited 0.
swag | [cont-init.d] 99-custom-files: executing...
swag | [custom-init] no custom files found exiting...
swag | [cont-init.d] 99-custom-files: exited 0.
swag | [cont-init.d] done.
swag | [services.d] starting services
swag | [services.d] done.
swag | nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
swag | Server ready
```
最後一行的`swag | Server ready`表示server已經跑起來了。先按下`ctrl + c`退出再來設定reverse proxy。
5. 修正`config/dns-conf/cloudflare.ini`的安全性問題
```
cd ~/dockers/linuxserverswag ; chmod 600 config/dns-conf/cloudflare.ini
```
#### Setup reverse proxy
1. 建立folder
```
cd ~/dockers/linuxserverswag ; mkdir -p config/nginx/sites-available config/nginx/sites-enabled
```
2. 建立以下檔案:
- `config/nginx/sites-available/common.conf`,內容:
```
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
```
- `config/nginx/sites-available/common_location.conf`,內容:
```
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
```
- `config/nginx/sites-available/storj.conf`,內容:
```
upstream storj {
server 192.168.1.11:14002;
}
server {
listen 443 ssl;
server_name storj.awin.one;
include /config/nginx/sites-available/common.conf;
include /config/nginx/ssl.conf;
location / {
proxy_pass http://192.168.1.11:14002/;
include /config/nginx/sites-available/common_location.conf;
}
}
```
- `config/nginx/sites-available/blog.conf`,內容:
```
upstream blog {
server 192.168.1.30:80;
}
server {
listen 443 ssl;
server_name blog.awin.one;
include /config/nginx/sites-available/common.conf;
include /config/nginx/ssl.conf;
location / {
proxy_pass http://192.168.1.30:80/;
include /config/nginx/sites-available/common_location.conf;
}
}
```
- `config/nginx/sites-available/gitea.conf`,內容:
```
upstream gitea {
server 192.168.1.32:3000; ## 網址
}
server {
listen 443 ssl;
server_name gitea.awin.one; ## 網域
include /config/nginx/sites-available/common.conf;
include /config/nginx/ssl.conf;
location / {
proxy_pass http://192.168.1.32:3000/; ## 網址
include /config/nginx/sites-available/common_location.conf;
}
}
```
3. 在`config/nginx/sites-enabled`裡面建立要enable的config
```
cd config/nginx/sites-enabled ; ln -s ../sites-available/storj.conf . ; cd -
```
4. 修改`config/nginx/nginx.conf`
```
vim config/nginx/nginx.conf
```
找到`include /config/nginx/site-confs/*;`這一行把它comment掉在下面新增一行
```
include /config/nginx/sites-enabled/*.conf;
```
5. 啟動swag
```
cd ~/dockers/linuxserverswag ; sudo docker-compose up -d
```
#### Restart
```bash
cd ~/dockers/linuxserverswag ; sudo docker-compose restart
```
#### Update certification
1. 進到dockr的swag bash裡面`sudo docker exec -it swag /bin/bash`
2. 輸入 `certbot renew`
3. ![[Pasted image 20210422205534.png]]
#### Trouble shooting
- 如果遇到類似下面的錯誤:
```
ERROR: for swag Cannot start service swag: driver failed programming external connectivity on endpoint swag (7c527d046631e0957de0b831ca25bed296de76e2eb96378964cb0110d7fb017d): Bind for 0.0.0.0:443 failed: port is already allocated.
```
表示有其他程式佔住了80 port可能是其他docker container或是service必須先關閉它們。[^1]
#### 參考來源
1. [linuxserver/docker-swag: Nginx webserver and reverse proxy with php support and a built-in Certbot (Let's Encrypt) client. It also contains fail2ban for intrusion prevention.](https://github.com/linuxserver/docker-swag)
2. [How to set up an easy and secure reverse proxy with Docker, Nginx & Letsencrypt](https://www.freecodecamp.org/news/docker-nginx-letsencrypt-easy-secure-reverse-proxy-40165ba3aee2/)
3. [SWAG setup - LinuxServer.io](https://docs.linuxserver.io/general/swag#understanding-the-proxy-conf-structure)
4. [NGINX Docs | NGINX Reverse Proxy](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/)
5. [Nginx 設定反向代理 Reverse Proxy](https://www.opencli.com/linux/nginx-config-reverse-proxy)
6. [用 Nginx 伺服器建立反向代理](https://noob.tw/nginx-reverse-proxy/)
7. [俄羅斯不愧是戰鬥民族nginx - iT 邦幫忙::一起幫忙解決難題,拯救 IT 人的一天](https://ithelp.ithome.com.tw/articles/10188498)
[^1]: [啟動docker時出現「Cannot start service :driver failed programming external connectivity on endpoint xxx, Bind for 0.0.0.0:80 failed: port is already allocated 」](https://mitsuiwei.com/docker-cannot-start-service/)

14
02. PARA/03. Resources(資源)/01. 架站/03. Trojan.md Normal file
View File

@@ -0,0 +1,14 @@
## 準備
### 安裝Maria DB
## 1. 下載trojan安裝檔
```
wget https://raw.githubusercontent.com/Jrohy/trojan/master/install.sh
```
## 參考
- [Trojan史上最全面的脚本Trojan所有脚本集合 - 简书](https://www.jianshu.com/p/bb14fc75292d)
- [VPS 初体验(三)在 VPS 上快速搭建 trojan 服务 - Kiku 的个人博客](https://kiku.vip/2021/10/16/%E5%9C%A8%20VPS%20%E5%BF%AB%E9%80%9F%E6%90%AD%E5%BB%BA%20trojan%20%E6%9C%8D%E5%8A%A1/)
- [mku228/trojan: 科学上网/翻墙梯子/自由上网/trojan 搭建教程 免费机场、VPN工具 小白科学上网一键搭建VPN梯子最新2022教程](https://github.com/mku228/trojan)
- [Jrohy/trojan: trojan多用户管理部署程序, 支持web页面管理](https://github.com/Jrohy/trojan)

48
02. PARA/03. Resources(資源)/01. 架站/04. Gitea.md Normal file
View File

@@ -0,0 +1,48 @@
## docker-compose.yml
```yaml
version: "3"
networks:
gitea:
external: false
services:
server:
image: gitea/gitea:latest
container_name: gitea
environment:
- USER_UID=1000
- USER_GID=1000
- DB_TYPE=mysql
- DB_HOST=db:3306
- DB_NAME=gitea
- DB_USER=gitea
- DB_PASSWD=gitea
- TZ=Asia/Taipei
restart: always
networks:
- gitea
volumes:
- ./datas/gitea:/data
ports:
- "3000:80"
- "322:22"
depends_on:
- db
db:
image: mysql:8
restart: always
environment:
- MYSQL_ROOT_PASSWORD=gitea
- MYSQL_USER=gitea
- MYSQL_PASSWORD=gitea
- MYSQL_DATABASE=gitea
networks:
- gitea
volumes:
- ./datas/db:/var/lib/mysql
```
## 文件
- [Gitea Docs: Config Cheat Sheet](https://docs.gitea.io/zh-tw/config-cheat-sheet/)