Nginx+Certbot+Steam模块完整教程

kimlopezkimlopez
2 min read

首先安装 Nginx:

apt update
apt install nginx

后创建配置文件。首先创建一个 stream 配置文件用于 L4 代理:

# 创建 stream 配置目录
mkdir -p /etc/nginx/streams-enabled/

# 创建 stream 配置文件
nano /etc/nginx/streams-enabled/vpn.conf

内容如下:

# VPN stream 配置
stream {
    map $ssl_preread_server_name $backend {
        edu.xxx.com          vpn_backend;
        default              web_backend;
    }

    upstream vpn_backend {
        server 127.0.0.1:8443;
    }

    upstream web_backend {
        server 127.0.0.1:8080;
    }

    server {
        listen 443;
        ssl_preread on;
        proxy_pass $backend;
    }
}

然后创建主要的 HTTP 配置:

# 创建网站配置目录
mkdir -p /etc/nginx/sites-enabled/

# 创建配置文件
nano /etc/nginx/sites-enabled/websites.conf

内容如下:

# HTTP 重定向到 HTTPS
server {
    listen 80;
    server_name xxx.com a.xxx.com;
    return 301 https://$host$request_uri;
}

# xxx.com 配置
server {
    listen 8080 ssl;
    server_name xxx.com;

    ssl_certificate /etc/letsencrypt/live/xxx.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/xxx.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;

    location / {
        return 200 "hello world";
    }

    location /ws {
        proxy_pass http://localhost:3001;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location @backend {
        proxy_pass http://localhost:3001;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

# a.xxx.com 配置
server {
    listen 8080 ssl;
    server_name a.xxx.com;

    ssl_certificate /etc/letsencrypt/live/a.xxx.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/a.xxx.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;

    location /files/ {
        rewrite ^/files/(.*) /.files/$1 break;
        proxy_pass http://localhost:3002;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /api {
        proxy_pass http://localhost:3002;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

修改主配置文件:

nano /etc/nginx/nginx.conf

在顶部添加:

include /etc/nginx/streams-enabled/*.conf;

获取 SSL 证书:

# 安装 certbot
apt install certbot python3-certbot-nginx

# 获取证书
certbot certonly --nginx -d a.xxx.com
certbot certonly --nginx -d xxx.com

最后:

# 测试配置
nginx -t

# 如果测试通过,重启 Nginx
systemctl restart nginx

# 启用开机自启
systemctl enable nginx
0
Subscribe to my newsletter

Read articles from kimlopez directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

kimlopez
kimlopez