Obsidian-Main/02. PARA/03. Resources（資源）/01. 架站/02. SWAG Reverse proxy.md at 2a46f2a6caf8958bf307ef839a330ce7ada25620

awin/Obsidian-Main

Fork 0

Files

Awin Huang f86dc56286 init

2022-06-02 17:55:14 +08:00

10 KiB

Raw Blame History

SWAG可以幫我們反向代理，並且有https。是由linuxserver.io包裝的Nginx webserver和reverse proxy的container。

建立docker-compose

建立folder

mkdir -p ~/dockers/linuxserverswag ; cd ~/dockers/linuxserverswag

建立docker-compose.yaml：

vim docker-compose.yaml

填入內容如下：

version: "2.1"
services:
  swag:
    image: ghcr.io/linuxserver/swag
    container_name: swag
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Asia/Taipei
      - URL=awin.one
      - SUBDOMAINS=wildcard
      - VALIDATION=dns
      - CERTPROVIDER= #optional
      - DNSPLUGIN=cloudflare #optional
      - PROPAGATION= #optional
      - DUCKDNSTOKEN= #optional
      - EMAIL=awinhuang@gmail.com
      - ONLY_SUBDOMAINS=false #optional
      - EXTRA_DOMAINS= #optional
      - STAGING=false #optional
      - MAXMINDDB_LICENSE_KEY= #optional
    volumes:
      - ./config:/config
    ports:
      - 44320:443
      - 8020:80 #optional
    restart: unless-stopped

先跑一次：

sudo docker-compose up

會發現有錯誤，這是正常的，錯誤訊息像這樣：

swag    | Unsafe permissions on credentials configuration file: /config/dns-conf/cloudflare.ini
swag    | Cleaning up challenges
swag    | Error determining zone_id: 9103 Unknown X-Auth-Key or X-Auth-Email. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter the correct email address and Global key?)
swag    | ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.

按ctrl + c退出。這時候config目錄也會有swag所mapping出來的相關檔案。修改config/dns-conf/cloudflare.ini：

vim config/dns-conf/cloudflare.ini

把config/dns-conf/cloudflare.ini改為：

# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-cloudflare/certbot_dns_cloudflare/__init__.py#L20
# Replace with your values

With global api key:
dns_cloudflare_email = awinhuang@gmail.com
dns_cloudflare_api_key = <YOUR_API_KEY_FROM_CLOUDFLARE>

# With token (comment out both lines above and uncomment below):
#dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567

再跑一次：

sudo docker-compose up

這一次就可以順利取得認證了，訊息像這樣：

swag    | IMPORTANT NOTES:
swag    |  - Congratulations! Your certificate and chain have been saved at:
swag    |    /etc/letsencrypt/live/awin.one/fullchain.pem
swag    |    Your key file has been saved at:
swag    |    /etc/letsencrypt/live/awin.one/privkey.pem
swag    |    Your certificate will expire on 2021-04-26. To obtain a new or
swag    |    tweaked version of this certificate in the future, simply run
swag    |    certbot again. To non-interactively renew *all* of your
swag    |    certificates, run "certbot renew"
swag    |  - If you like Certbot, please consider supporting our work by:
swag    |
swag    |    Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
swag    |    Donating to EFF:                    https://eff.org/donate-le
swag    |
swag    | New certificate generated; starting nginx
swag    | Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,
swag    | and add a new env variable "MAXMINDDB_LICENSE_KEY", set to your license key.
swag    | [cont-init.d] 50-config: exited 0.
swag    | [cont-init.d] 60-renew: executing...
swag    | The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
swag    | [cont-init.d] 60-renew: exited 0.
swag    | [cont-init.d] 70-templates: executing...
swag    | [cont-init.d] 70-templates: exited 0.
swag    | [cont-init.d] 99-custom-files: executing...
swag    | [custom-init] no custom files found exiting...
swag    | [cont-init.d] 99-custom-files: exited 0.
swag    | [cont-init.d] done.
swag    | [services.d] starting services
swag    | [services.d] done.
swag    | nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
swag    | Server ready

最後一行的swag | Server ready表示server已經跑起來了。先按下ctrl + c退出，再來設定reverse proxy。

修正config/dns-conf/cloudflare.ini的安全性問題

cd ~/dockers/linuxserverswag ; chmod 600 config/dns-conf/cloudflare.ini

Setup reverse proxy

建立folder：

cd ~/dockers/linuxserverswag ; mkdir -p config/nginx/sites-available config/nginx/sites-enabled

建立以下檔案：

config/nginx/sites-available/common.conf，內容：

add_header Strict-Transport-Security    "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options              SAMEORIGIN;
add_header X-Content-Type-Options       nosniff;
add_header X-XSS-Protection             "1; mode=block";

config/nginx/sites-available/common_location.conf，內容：

proxy_set_header    X-Real-IP           $remote_addr;
proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
proxy_set_header    X-Forwarded-Proto   $scheme;
proxy_set_header    Host                $host;
proxy_set_header    X-Forwarded-Host    $host;
proxy_set_header    X-Forwarded-Port    $server_port;

config/nginx/sites-available/storj.conf，內容：

upstream storj {
    server         192.168.1.11:14002;
}

server {
    listen         443 ssl;
    server_name    storj.awin.one;

    include        /config/nginx/sites-available/common.conf;
    include        /config/nginx/ssl.conf;

    location / {
        proxy_pass http://192.168.1.11:14002/;
        include    /config/nginx/sites-available/common_location.conf;
    }
}

config/nginx/sites-available/blog.conf，內容：

upstream blog {
    server         192.168.1.30:80;
}

server {
    listen         443 ssl;
    server_name    blog.awin.one;

    include        /config/nginx/sites-available/common.conf;
    include        /config/nginx/ssl.conf;

    location / {
        proxy_pass http://192.168.1.30:80/;
        include    /config/nginx/sites-available/common_location.conf;
    }
}

config/nginx/sites-available/gitea.conf，內容：

upstream gitea {
    server         192.168.1.32:3000;  ## 網址
}

server {
    listen         443 ssl;
    server_name    gitea.awin.one;    ## 網域

    include        /config/nginx/sites-available/common.conf;
    include        /config/nginx/ssl.conf;

    location / {
        proxy_pass http://192.168.1.32:3000/;   ## 網址
        include    /config/nginx/sites-available/common_location.conf;
    }
}

在config/nginx/sites-enabled裡面建立要enable的config：

cd config/nginx/sites-enabled ; ln -s ../sites-available/storj.conf . ; cd -

修改config/nginx/nginx.conf：
```
vim config/nginx/nginx.conf
```
找到include /config/nginx/site-confs/*;這一行，把它comment掉，在下面新增一行：
```
include /config/nginx/sites-enabled/*.conf;
```

啟動swag：

cd ~/dockers/linuxserverswag ; sudo docker-compose up -d

Restart

cd ~/dockers/linuxserverswag ; sudo docker-compose restart

Update certification

進到dockr的swag bash裡面：sudo docker exec -it swag /bin/bash
輸入 certbot renew
!

Trouble shooting

如果遇到類似下面的錯誤：

ERROR: for swag  Cannot start service swag: driver failed programming external connectivity on endpoint swag (7c527d046631e0957de0b831ca25bed296de76e2eb96378964cb0110d7fb017d): Bind for 0.0.0.0:443 failed: port is already allocated.

表示有其他程式佔住了80 port，可能是其他docker container或是service，必須先關閉它們。¹

參考來源

啟動docker時出現「Cannot start service :driver failed programming external connectivity on endpoint xxx, Bind for 0.0.0.0:80 failed: port is already allocated 」 ↩︎

10 KiB Raw Blame History Unescape Escape