FRP内网穿透 + Nginx代理 + 获取真实IP 以下仅列出关键配置 外网服务端配置 如果指定反代ip,frp会无法获取host,导致502错误,采用以下方案可以解决,但需要开放fprs https端口,并指定解析$host的DNS服务器 Nginx server { listen 443 ssl; server_name your.domain; ssl_certificate ./your.domain.cer; ssl_certificate_key ./your.domain.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; server_tokens off; location / { resolver 223.5.5.5; # dns resolver server proxy_ssl_server_name on; proxy_set_header Host $host:$server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass https://$host:6443; # frps https port, set $host insead of ip error_page 502 http://$host:6080/$request_uri; } } 参考issue #888: nginx https反向代理到frp https 报 502错误 参考frpc+frps+nginx反代+解析后端真实IP+双向https自动跳转+https证书配置的纯享版配置文件及操作指导 FRP Server # [common] is integral section [common] # A literal address or host name for IPv6 must be enclosed # in square brackets, as in "[::1]:80", "[ipv6-host]:http" or "[ipv6-host%zone]:80" bind_addr = 0.0.0.0 bind_port = 5443 # udp port used for kcp protocol, it can be same with 'bind_port' # if not set, kcp is disabled in frps kcp_bind_port = 5443 # if you want to configure or reload frps by dashboard, dashboard_port must be set dashboard_port = 8090 # dashboard assets directory(only for debug mode) dashboard_user = admin dashboard_pwd = admin # assets_dir = ./static vhost_http_port = 6080 vhost_https_port =…
查看原文:Nginx 实现端口转发——星河赵博客 Summary Nginx在监听某一端口(如80端口)时,通过配置负载均衡池,根据不同的域名,将同一端口的HTTP/HTTPS请求分发到不同的端口。 实例如下: ##负载均衡池 upstream one_pool{ server 127.0.0.1:5000; } upstream two_pool{ server 127.0.0.1:6000; } ##server one server { #listenning on 80 listen 80; server_name one.poryoung.cn; #redirect to https return 301 https://$server_name$request_uri; } server { listen 443; server_name one.poryoung.cn; location / { proxy_pass http://one_pool; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } #Allow HTTPS ssl on; # Let's Encrypt生成的SSL证书: ssl_certificate /.../*.poryoung.cn/fullchain.cer; ssl_certificate_key /.../*.poryoung.cn.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; } ##server two server { #listenning on 80 listen 80; server_name two.poryoung.cn; #redirect to https return 301 https://$server_name$request_uri; } server { listen 443; server_name two.poryoung.cn; location / { proxy_pass http://two_pool; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } #Allow HTTPS ssl on; # Let's Encrypt生成的SSL证书: ssl_certificate /.../*.poryoung.cn/fullchain.cer; ssl_certificate_key /.../*.poryoung.cn.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; } 其中的域名和证书部分需要替换。 Let's Encrypt已经支持泛域名证书申请,网上有许多教程,比较详细的如Let’s Encrypt免费泛域名证书申请教程步骤,使用ACME.sh申请。 在申请过程中,./acme.sh --issue -d *.xxorg.com -d xxorg.com --dns和./acme.sh --renew -d *.xxorg.com -d xxorg.com命令可能会遇到dns manual mode警告而失败的情况,在其后加上--yes-I-know-dns-manual-mode-enough-go-ahead-please即可
【原文】Ubuntu 16.04安装配置Nginx使用Let's Encrypt Let’s Encrypt是新的认证授权(CA)方式,使用它可以获得免费的TLS/SSL证书-使用HTTPS加密web server。Let’s Encrypt依然在测试阶段,目前,它只支持在Apache web服务器上实现自动安装。但是,Let’s Encrypt允许我们非常容易的获得一个免费的SSL证书,之后我们可以在web服务器上手动配置安装。 本文涉及: 在Ubuntu 16.04上安装Nginx 使用Let’s Encrypt获得免费的SSL证书 配置Nginx使用SSL证书 怎么自动更新SSL证书 安装前提 你必须有一个域名 域名的A记录指向要配置的web服务器 你还要有Ubuntu 16.04的root权限 我使用test.com和www.test.com域名做示例,本文中所有涉及test.com的地方,需要替换为你的域名。 下载Let’s Encrypt客户端 首先使用Let’s Encrypt获得SSL证书,下载letsencrypt。 letsencrypt托管在github,使用git clone下载。 如果没有安装git,安装它: $ sudo apt-get update $ sudo apt-get install git 我把Let’s Encrypt clone到/opt目录: $ sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt 获得SSL证书 如果你没有安装Nginx,安装它: $ sudo apt-get install nginx 配置Nginx: $ sudo vim /etc/nginx/sites-available/default 在server块内添加: location ~ /.well-known { allow all; } /.well-known的用处:Let’s Encrypt服务器要对你的web服务器进行验证,确保是你的域名,你的服务器。 你也可以更改网站根目录,默认是/var/www/html 重新加载Nginx使更改生效: $ sudo systemctl reload nginx 获得SSL证书: $ cd /opt/letsencrypt $ ./letsencrypt-auto certonly -a webroot --webroot-path=/var/www/html -d test.com -d www.test.com 在安装过程中提示输入邮箱,用来恢复密钥 接受协议 如果成功,会输出如下信息: IMPORTANT NOTES: ... - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/test.com/fullchain.pem. Your cert will expire on 2016-06-15. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. ... 注意证书保存路径和过期时间。 如果有错误,注意打开防火墙的80和443端口。 其实证书文件保存在/etc/letsencrypt/archive目录中,/etc/letsencrypt/live/test.com里的证书只是指向/etc/letsencrypt/archive最新证书的链接。获得的证书文件: sudo ls -l /etc/letsencrypt/live/test.com cert.pem: 你域名的证书 chain.pem: Let’s Encrypt chain证书 fullchain.pem: cert.pem 和 chain.pem 合并 privkey.pem: 你的证书密钥 为了增加安全,你应该生成Diffie-Hellman: $ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 下面你需要配置Nginx使用fullchain.pem做为证书文件,privkey.pem做为密钥。 配置Nginx使用TLS/SSL 现在已经有了SSL证书,下面来配置Nginx使用证书。 编辑Nginx配置文件/etc/nginx/sites-available/default: $ sudo vim /etc/nginx/sites-available/default 找到server块,注释或删除掉以下行: listen 80 default_server; listen [::]:80 default_server; 在server块内添加如下配置代码使用HTTPS: listen…
【原文】配置Nginx做Node.js应用的反向代理 (HTTPS) 安装Node.js 用PPA你可以的到最新版本的node.js 执行如下命令安装PPA curl -sL https://deb.nodesource.com/setup | sudo bash - 安装 node.js: sudo apt-get install nodejs npm 为了使一些npm包正常工作(例如需要从源码构建的包),你需要安装 build-essentials 包: $ sudo apt-get install build-essential 创建一个简单的Node.js应用 更优雅的启动node.js应用:PM2: 管理Node.js应用进程 配置Nginx做为反向代理 安装Nginx 编辑配置文件 sudo vim /etc/nginx/sites-available/default 把文件中的内容替换为: server { listen 80; server_name your_domain.com; location / { proxy_pass http://localhost:8081; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } } 重启nginx 添加HTTPS支持(使用免费的Let’s Encrypt) 从github clone源码: sudo apt-get -y install git bc sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt 获得SSL证书: 由于Let’s Encrypt要使用80端口做认证,所以需要暂停Nginx的运行: sudo systemctl stop nginx 获得证书: cd /opt/letsencrypt ./letsencrypt-auto certonly --standalone 根据提示提供你的信息,包括域名、邮箱啥的。 执行成功之后,证书保存到了/etc/letsencrypt/your_domain/ 配置Nginx: sudo vim /etc/nginx/sites-enabled/default 把内容替换为: # HTTP - 把HTTP请求转向到HTTPS: server { listen 80; listen [::]:80 default_server ipv6only=on; return 301 https://$host$request_uri; } # HTTPS - 反向代理 server { listen 443; server_name your_domain.com; ssl on; # Let's Encrypt生成的SSL证书: ssl_certificate /etc/letsencrypt/live/your_domain/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/your_domain/privkey.pem; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; # 把请求转到localhost:8081: location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-NginX-Proxy true; proxy_pass http://localhost:8081/; proxy_ssl_session_reuse off; proxy_set_header Host $http_host; proxy_cache_bypass $http_upgrade; proxy_redirect off; } } 注意替换上面的域名、证书路径等信息。 再次启动nginx 关于Let’s Encrypt证书的更新,看如下帖:…
【原文】How To Install Nginx on Ubuntu 16.04 install nginx Nginx is available in Ubuntu's default repositories, so the installation is rather straight forward. sudo apt-get update sudo apt-get install nginx Adjust the Firewall (use ufw) get a listing of the application profiles sudo ufw app list //Output Available applications: Nginx Full Nginx HTTP Nginx HTTPS OpenSSH enable sudo ufw allow 'Nginx HTTP' verify sudo ufw status Check your Web Server systemctl status nginx Manage the Nginx Process sudo systemctl stop nginx sudo systemctl start nginx sudo systemctl restart nginx //If you are simply making configuration changes, Nginx can often reload without dropping connections. To do this, this command can be used: sudo systemctl reload nginx By default, Nginx is configured to start automatically when the server boots. If this is not what you want, you can disable this behavior by typing: sudo systemctl disable nginx To re-enable the service to start up at boot, you can type: sudo systemctl enable nginx Get Familiar with Important Nginx Files and Directories Content /var/www/html: The actual web content,…