引言
之前我的博客是部署在CloudFlare Pages上的,好处是配合github actions十分容易部署,坏处也就是显而易见的国内线路延迟,于是打算搬运到手上的Claw机器上。但是这台机子同时跑着代理,也要用到443端口以防检测,于是有了这篇文章。
配置防火墙
以防防火墙引起配置bug,先用ufw简单配置一下规则。
bash
sudo apt install ufw
sudo ufw allow 22
sudo ufw allow 'Nginx HTTP'安装Nginx和Certbot,并取得证书
这里的Nginx要用到stream模块,所以要安装nginx-full,如果之前已经安装过nginx的话,需要先卸载了。
bash
sudo apt install nginx-full
sudo apt install certbot python3-certbot-nginx安装完后使用命令获得证书
bash
sudo certbot --nginx
# 在之后输入邮箱和域名就可以了配置Nginx
用nano或其他文本编辑器打开/etc/nginx/nginx.conf,以下是我的配置
nginx
user www-data;
worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
stream {
map $ssl_preread_server_name $backend_name {
blog.example.com web_backend; # 博客网页转发到8443端口
default reality_backend; # 其他转发到1443端口
}
upstream reality_backend {
server 127.0.0.1:1443;
}
upstream web_backend {
server 127.0.0.1:8443;
}
server {
listen 443;
listen [::]:443;
ssl_preread on;
proxy_pass $backend_name;
}
}
http {
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
gzip on;
server {
root /var/www/blog;
index index.html index.htm index.nginx-debian.html;
server_name blog.jzwb.ink; # managed by Certbot
listen [::]:8443 ssl ipv6only=on; # 这里的https服务器监听8443
listen 8443 ssl; # 这里的https服务器监听8443
ssl_certificate /etc/letsencrypt/live/blog.expample.com/fullchain.pem; # certbot默认证书位置
ssl_certificate_key /etc/letsencrypt/live/blog.expample.com/privkey.pem; # certbot默认证书位置
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
}修改之后重启一下Nginx
bash
sudo systemctl restart nginx配置Xray
配置只用将端口把443改到1443.这里我用的reality。如果一切没问题的话访问blog域名会进入博客,访问其他域名可以直接进入reality设置的dest域名,就说明设置成功了.