把EA6500V2升级成了一个X86的NAS,各种服务就多起来了,但是在内网,各个服务都监听的80/443端口,我外网IP撑死也就两个,电信的家用宽带80端口又不能用,443端口的话,即使咗做端口映射,IP也不够分啊!
还好之前写了个ddns.sh进行动态域名解析,那从外网管理各种服务就当然要通过域名来搞了~
怎么搞?Nginx反向代理了解一下~
撸起袖子加油干~
一个服务一个子域名!
- 路由器一个
- ESXI一个
- Ubuntu Server管理的Webadmin一个
- 个人网盘一个
- 你现在看到的站点一个
- 放静态资源的站点一个
- ......
先来一个ESXI的,
server {
server_name xxx.tofuliang.me;
listen 443 ssl http2;
ssl on;
ssl_certificate /usr/local/share/ssl/tofuliang.me.pem;
ssl_certificate_key /usr/local/share/ssl/tofuliang.me.key;
access_log off;
error_log off;
location / {
#Proxy Settings
proxy_redirect off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://192.168.2.254;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 128k;
proxy_buffers 32 32k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
}
}加好配置文件nginx -s reload,用手机断掉WIFI一试,成了!
在用电脑打开,试试在网页打开虚拟机的显示器,囧了.
location /ticket {
proxy_redirect off;
proxy_pass https://192.168.2.254;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
}打开调试器看,原来用的WebSocket,想到之前用Websocket伪装的梯子搞过Websocket转发,搬过来...
加上这个location,果然好了!
刚好koolshare lede发新版了,打算升级一下,上传镜像的时候竟然失败了,经验告诉我,肯定是Nginx不受这么大的文件,
赶紧补上proxy_max_temp_file_size 0;和client_max_body_size 4g;解决掉~
最终nginx的配置文件就是这样子了
client_max_body_size 4g;
server {
server_name esxi.tofuliang.me;
listen 443 ssl http2;
ssl on;
ssl_certificate /usr/local/share/ssl/tofuliang.me.pem;
ssl_certificate_key /usr/local/share/ssl/tofuliang.me.key;
access_log off;
error_log off;
location /ticket {
proxy_redirect off;
proxy_pass https://192.168.2.254;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
}
location / {
#Proxy Settings
proxy_redirect off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://192.168.2.254;
proxy_max_temp_file_size 0;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 128k;
proxy_buffers 32 32k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
}
}然后还值得一说的就是配置koolshare lede时,要隐藏掉X-XSS-Protection,
proxy_hide_header X-XSS-Protection ;否则会在控制台报这样一个错误,而且软件中心用起来也会有问题.
Error parsing header X-XSS-Protection: 1; mode=block, 1; mode=block: expected semicolon at character position 13. The default protections will be applied.
根本原因是为了安全,在nginx.conf中已经配置过了,lede自己也有这个响应头,输出到浏览器的时候就重复了.
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "same-origin" always;
还不快抢沙发