awin/Obsidian-Main
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
95a804e0dadcf3753c5c0bd8ccdeddfddacf5929
Obsidian-Main/03. 資料收集/架站/Nginx/Reverse Proxy(Layer4).md
Awin Huang 95a804e0da vault backup: 2022-09-26 18:29:43 
Affected files:
.obsidian/workspace
01. 個人/02. 專注Study/20150803 - Android/Android programming.md
01. 個人/02. 專注Study/20220601 - C++/C++17 1.md
03. 資料收集/01. 架站/01. Nginx Layer4 Reverse Proxy.md
03. 資料收集/Android operating.md
03. 資料收集/DB/MySQL.md
03. 資料收集/DB/sqlite.md
03. 資料收集/NextDNS.md
03. 資料收集/SLAM.md
03. 資料收集/V2Ray.md
03. 資料收集/__templates/blogHeader.md
03. 資料收集/__templates/date.md
03. 資料收集/__templates/front matter.md
03. 資料收集/__templates/note.md
03. 資料收集/__templates/table.md
03. 資料收集/__templates/thisWeek.md
03. 資料收集/__templates/日記.md
03. 資料收集/__templates/讀書筆記.md
03. 資料收集/frp.md
03. 資料收集/youtube-dl.md
03. 資料收集/架站/02. SWAG Reverse proxy.md
03. 資料收集/架站/03. Trojan.md
03. 資料收集/架站/04. Gitea.md
03. 資料收集/架站/Nginx/Reverse Proxy(Layer4).md
03. 資料收集/模型/Traxxas Sledge.md
03. 資料收集/模型/舊化作例.md
03. 資料收集/財經.md
03. 資料收集/軍武/虎式.md
03. 資料收集/面試準備/技术面试最后反问面试官的话.md
2022-09-26 18:29:43 +08:00

11 KiB
Raw Blame History

Reverse Proxy(Layer4)

Reverse Proxy(Layer4)#Reverse Proxy所用的方法雖然可以反向代理多個網站但是對於像是Trojan這種TLS不行被中斷的服務來說會導致handshake失敗所以需要用Nginx的stream來做Layer 4的轉發。

docker-compose.yaml

需要先把nginx.confmime.types給copy到data目錄下。 依序執行下面2個命令

sudo docker run --rm -it nginx cat /etc/nginx/nginx.conf > nginx.conf
sudo docker run --rm -it nginx cat /etc/nginx/mime.types > mime.types

然後:

mkdir data ;\
mv nginx.conf mime.types data

建立docker-compose.yaml

version: '3'
services:
  nginx_reverseproxy_l4:
    container_name: nginx
    restart: always
    image: nginx
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./data:/etc/nginx

修改data/nginx.conf

events {
    worker_connections  1024; <-- event 不用動
}

stream {
    map $ssl_preread_server_name $backend_name {
        tjn.awin.one             trojan;
        storj.awin.one           swag;
    }

    # trojan
    upstream trojan {
        server 192.168.1.31:443;
    }

    # swag
    upstream swag {
        server 192.168.1.20:44320;
    }

    # 监听 443 并开启 ssl_preread
    server {
        listen      80 reuseport;
        listen      443 reuseport;
        listen      [::]:443 reuseport;
        proxy_pass  $backend_name;
        ssl_preread on;
    }
}

http {
    ...                     <-- http 不用動
}

重點來源:

  1. Trojan 共用 443 端口方案 - 程小白
  2. NaiveProxy + Trojan + 多HTTPS站点共存复用443端口 | 心底的河流
  3. $ssl_preread_server_name的官方說明:Module ngx_stream_ssl_preread_module

Reverse Proxy

重要確定docker與docker-compose已經安裝好。 參考RaspberryPi#DockerRaspberryPi#docker-compose

Use SWAG docker

swag(之前叫做letsencrypt)是linuxserver.io包裝的Nginx webserver和reverse proxy的container。

Setup HTTPS

  1. 建立folder

    mkdir -p ~/dockers/linuxserverswag ; cd ~/dockers/linuxserverswag

  2. 建立docker-compose.yaml

    vim docker-compose.yaml

    填入內容如下:

    version: "2.1"
services:
  swag:
    image: ghcr.io/linuxserver/swag
    container_name: swag
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Asia/Taipei
      - URL=awin.one
      - SUBDOMAINS=wildcard
      - VALIDATION=dns
      - CERTPROVIDER= #optional
      - DNSPLUGIN=cloudflare #optional
      - PROPAGATION= #optional
      - DUCKDNSTOKEN= #optional
      - EMAIL=awinhuang@gmail.com
      - ONLY_SUBDOMAINS=false #optional
      - EXTRA_DOMAINS= #optional
      - STAGING=false #optional
      - MAXMINDDB_LICENSE_KEY= #optional
    volumes:
      - ./config:/config
    ports:
      - 44320:443
      - 8020:80 #optional
    restart: unless-stopped

  3. 先跑一次:

    sudo docker-compose up

    會發現有錯誤,這是正常的,錯誤訊息像這樣:

    swag    | Unsafe permissions on credentials configuration file: /config/dns-conf/cloudflare.ini
swag    | Cleaning up challenges
swag    | Error determining zone_id: 9103 Unknown X-Auth-Key or X-Auth-Email. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter the correct email address and Global key?)
swag    | ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.

    ctrl + c退出。這時候config目錄也會有swag所mapping出來的相關檔案。修改config/dns-conf/cloudflare.ini

    vim config/dns-conf/cloudflare.ini

    config/dns-conf/cloudflare.ini改為:

    # Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-cloudflare/certbot_dns_cloudflare/__init__.py#L20
# Replace with your values

With global api key:
dns_cloudflare_email = awinhuang@gmail.com
dns_cloudflare_api_key = <YOUR_API_KEY_FROM_CLOUDFLARE>

# With token (comment out both lines above and uncomment below):
#dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567

  4. 再跑一次:

    sudo docker-compose up

    這一次就可以順利取得認證了,訊息像這樣:

    swag    | IMPORTANT NOTES:
swag    |  - Congratulations! Your certificate and chain have been saved at:
swag    |    /etc/letsencrypt/live/awin.one/fullchain.pem
swag    |    Your key file has been saved at:
swag    |    /etc/letsencrypt/live/awin.one/privkey.pem
swag    |    Your certificate will expire on 2021-04-26. To obtain a new or
swag    |    tweaked version of this certificate in the future, simply run
swag    |    certbot again. To non-interactively renew *all* of your
swag    |    certificates, run "certbot renew"
swag    |  - If you like Certbot, please consider supporting our work by:
swag    |
swag    |    Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
swag    |    Donating to EFF:                    https://eff.org/donate-le
swag    |
swag    | New certificate generated; starting nginx
swag    | Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,
swag    | and add a new env variable "MAXMINDDB_LICENSE_KEY", set to your license key.
swag    | [cont-init.d] 50-config: exited 0.
swag    | [cont-init.d] 60-renew: executing...
swag    | The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
swag    | [cont-init.d] 60-renew: exited 0.
swag    | [cont-init.d] 70-templates: executing...
swag    | [cont-init.d] 70-templates: exited 0.
swag    | [cont-init.d] 99-custom-files: executing...
swag    | [custom-init] no custom files found exiting...
swag    | [cont-init.d] 99-custom-files: exited 0.
swag    | [cont-init.d] done.
swag    | [services.d] starting services
swag    | [services.d] done.
swag    | nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
swag    | Server ready

    最後一行的swag | Server ready表示server已經跑起來了。先按下ctrl + c退出再來設定reverse proxy。

  5. 修正config/dns-conf/cloudflare.ini的安全性問題

    cd ~/dockers/linuxserverswag ; chmod 600 config/dns-conf/cloudflare.ini

Setup reverse proxy

  1. 建立folder

    cd ~/dockers/linuxserverswag ; mkdir -p config/nginx/sites-available config/nginx/sites-enabled

  2. 建立以下檔案:

    • config/nginx/sites-available/common.conf,內容: 
      add_header Strict-Transport-Security    "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options              SAMEORIGIN;
add_header X-Content-Type-Options       nosniff;
add_header X-XSS-Protection             "1; mode=block";
    • config/nginx/sites-available/common_location.conf,內容: 
      proxy_set_header    X-Real-IP           $remote_addr;
proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
proxy_set_header    X-Forwarded-Proto   $scheme;
proxy_set_header    Host                $host;
proxy_set_header    X-Forwarded-Host    $host;
proxy_set_header    X-Forwarded-Port    $server_port;
    • config/nginx/sites-available/storj.conf,內容: 
      upstream storj {
    server         192.168.1.11:14002;
}

server {
    listen         443 ssl;
    server_name    storj.awin.one;

    include        /config/nginx/sites-available/common.conf;
    include        /config/nginx/ssl.conf;

    location / {
        proxy_pass http://192.168.1.11:14002/;
        include    /config/nginx/sites-available/common_location.conf;
    }
}

  3. config/nginx/sites-enabled裡面建立要enable的config

    cd config/nginx/sites-enabled ; ln -s ../sites-available/storj.conf . ; cd -

  4. 修改config/nginx/nginx.conf

    vim config/nginx/nginx.conf

    找到include /config/nginx/site-confs/*;這一行把它comment掉在下面新增一行

    include /config/nginx/sites-enabled/*.conf;

  5. 啟動swag

    cd ~/dockers/linuxserverswag ; sudo docker-compose up -d

Restart

cd ~/dockers/linuxserverswag ; sudo docker-compose restart

Update certification

  1. 進到dockr的swag bash裡面sudo docker exec -it swag /bin/bash
  2. 輸入 certbot renew
  3. !Pasted image 20210422205534.png

Trouble shooting

  • 如果遇到類似下面的錯誤: 
    ERROR: for swag  Cannot start service swag: driver failed programming external connectivity on endpoint swag (7c527d046631e0957de0b831ca25bed296de76e2eb96378964cb0110d7fb017d): Bind for 0.0.0.0:443 failed: port is already allocated.
    表示有其他程式佔住了80 port可能是其他docker container或是service必須先關閉它們。1

參考來源

  1. linuxserver/docker-swag: Nginx webserver and reverse proxy with php support and a built-in Certbot (Let's Encrypt) client. It also contains fail2ban for intrusion prevention.
  2. How to set up an easy and secure reverse proxy with Docker, Nginx & Letsencrypt
  3. SWAG setup - LinuxServer.io
Reference in New Issue View Git Blame Copy Permalink