8-在公网服务器中搭建nginx反向代理 概览
HomeLab中的服务逐渐增多,配置SSL的任务也繁琐起来,如果每次都是在对应docker内部部署证书过于麻烦,且无法统一自动化管理,所以改为在公网服务器搭建nginx反向代理,利用letsencrypt自动更新域名证书。
安装nginx 安装nginx
启动nginx
1 sudo systemctl start nginx
检查nginx状态
1 sudo systemctl status nginx
安装后web目录:/var/www/html/
配置目录:/etc/nginx/
配置frp 因为要把80 和 443端口提供给nginx进行连接并反向处理,这里配置frp的vhost_http_port为7080,vhost_https_port为7443
配置nginx 无ssl配置 在nginx配置中增加一些server配置,此时80端口可以调通,基本就稳了,剩下的就是443的证书工作了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 server { listen 80; # listen 443 ssl; server_name alfredty.com; client_max_body_size 1024M; location / { # proxy_pass http://alfredty.com:7080; # proxy_set_header Host $host:$server_port; proxy_pass http://alfredty.com:7080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; proxy_ssl_server_name on; } } server { listen 80; # listen 443 ssl; server_name tool.alfredty.com; client_max_body_size 1024M; location / { # proxy_pass http://alfredty.com:7080; # proxy_set_header Host $host:$server_port; proxy_pass http://tool.alfredty.com:7080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; proxy_ssl_server_name on; } } server { listen 80; # listen 443 ssl; server_name op.alfredty.com; client_max_body_size 1024M; location / { # proxy_pass http://alfredty.com:7080; # proxy_set_header Host $host:$server_port; proxy_pass http://op.alfredty.com:7080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; proxy_ssl_server_name on; } } server { listen 80; # listen 443 ssl; server_name git.alfredty.com; client_max_body_size 1024M; location / { # proxy_pass http://git.alfredty.com:7080; # proxy_set_header Host $host:$server_port; proxy_pass http://git.alfredty.com:7080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; proxy_ssl_server_name on; } }
完成配置后重启nginx
配置证书 使用letsencrypt获得免费证书,通过其certbot获取和管理证书。
安装certbot https://certbot.eff.org/instructions?ws=nginx&os=ubuntufocal&tab=standard
获取证书并修改nginx配置 获取证书:
1 2 3 4 sudo certbot certonly --nginx --dry-run sudo certbot certonly --nginx
按照输出的证书路径配置nginx
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 server { listen 80; # 请填写绑定证书的域名 server_name alfredty.com op.alfredty.com tool.alfredty.com git.alfredty.com; # 把http的域名请求转成https return 301 https://$host$request_uri; } server { # SSL 默认访问端口号为 443 listen 443 ssl; # 请填写绑定证书的域名 server_name alfredty.com; # 请填写证书文件的相对路径或绝对路径 ssl_certificate /etc/letsencrypt/live/alfredty.com/fullchain.pem; # 请填写私钥文件的相对路径或绝对路径 ssl_certificate_key /etc/letsencrypt/live/alfredty.com/privkey.pem; ssl_session_timeout 5m; # 请按照以下套件配置,配置加密套件,写法遵循 openssl 标准。 ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; # 请按照以下协议配置 ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; location / { proxy_pass http://alfredty.com:7080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; proxy_ssl_server_name on; } } # ... 后面以此类推,只要配置op.alfredty.com tool.alfredty.com git.alfredty.com的443的server就可以了
更新证书 1 2 3 4 sudo certbot renew --dry-run sudo certbot renew
添加证书 后续如果有新的域名想要配置到证书中,可以直接用命令添加即可,记得要先把历史的也协商
1 certbot certonly --cert-name alfredty.com -d x x xxx.alfredty.com,yyy.alfredty.com,zzz.alfredty.com,alfredty.com,aaa.alfredty.com,bbb.alfredty.com,ccc.alfredty.com
查看、管理证书 
