invoker | 技不如人,甘拜下风
2020-07-12 | 折腾

home-server

DDNS

自动更新公网IP: 使用 godns 这个项目,定时检查公网 IP,自动更新,

1
docker run -d --name godns --restart=always -v /path/to/config.json:/usr/local/godns/config.json timothyye/godns:latest

更多配置参数可以看文档 PS: SUB_DOMAIN 需要手动在域名商添加 A 记录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# example config:
# 替换 $ID,$TOKEN,$DOMAIN,$SUB_DOMAIN
{
  "provider": "DNSPod",
  "login_token": "$ID,$TOKEN",
  "domains": [
    {
      "domain_name": "$DOMAIN",
      "sub_domains": [
        "$SUB_DOMAIN"
      ]
    }
  ],
  "ip_url": "https://myip.biturl.top",
  "interval": 300,
  "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/38.0.2125.111 Safari/537.36",
  "ip_interface": "eth0",
  "socks5_proxy": "",
  "notify": {
    "enabled": false,
    "smtp_server": "",
    "smtp_username": "",
    "smtp_password": "",
    "smtp_port": 25,
    "send_to": ""
  }
}

HTTPS 证书 && nginx 反代

HTTPS 证书使用 acme.sh 自动申请,更新。

1
2
3
4
5
# 先申请一下证书证书
docker-compose run acme.sh --issue --dns dns_dp -d *.domain.com

# 以后就直接
docker-compose up -d
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# /home-proxy/docker-compose.yml
# docker-compose up -d
# 替换 $DNSPOD_ID, $DNSPOD_KEY, $NGINX_80, $NGINX_443
version: '3'
services:
  acme.sh:
    image: neilpang/acme.sh
    volumes:
      - "./acme.sh:/acme.sh:z"
    environment:
      - DP_Id=$DNSPOD_ID
      - DP_Key=$DNSPOD_KEY
    command: daemon

  nginx:
    image: nginx
    ports:
      - "$NGINX_80:80"
      - "$NGINX_443:443"
    volumes:
      - "./acme.sh:/etc/nginx/certs"
      - "./nginx/conf.d/:/etc/nginx/conf.d:z"
      - "./nginx/log/:/var/log/nginx/:z"
    environment:
      - ENV=production

nginx 配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# /home-proxy/nginx/conf.d/proxy.conf
# 替换 domain.com, $SERVICE_IP, $PORT
server {
    listen 80;
    server_name *.domain.com;
    return 301 https://$host$request_uri;
}
server {

    listen      443 ssl http2;
    server_name xxx.domain.com;

    location / {
        proxy_pass https://$SERVICE_IP:$PORT;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade"; 
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_ssl_server_name on;
        proxy_ssl_name $host;
    }
    ssl_certificate         /etc/nginx/certs/*.domain.com/fullchain.cer;
    ssl_certificate_key     /etc/nginx/certs/*.domain.com/*.domain.com.key;
}
...

路由器端口转发

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
                    +----------------+
                    |                |
                    |     光猫        |
                    |                |
                    +-------+--------+
                            |
                            v
                    +-------+--------+
                    |                |
                    |     路由器      |
                    |                |
                    +-------+--------+ 
                            |                  
      +---------------------+------------------+
      |                     |                  |
      |                     v                  |
+-----v-----+        +------+------+    +------v------+
|           |        |             |    |             |
|   nginx   |        |   service   |    |   service   |
|           |        |             |    |             |
+-----------+        +-------------+    +-------------+


联通光猫开启 DMZ,流量转给路由器。路由器开启端口转发,交给 nginx (联通屏蔽 80/443,自行选择安全端口),最后由 nginx 分发到各 service。带小绿锁的公网 home server 就配好了。

唯一的遗憾就是每次输域名都要自带端口,自用的话问题不大,公网直连回家还是很快的,舒服。

Ref

nginx ddns https