V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
shunagliu008
V2EX  ›  分享发现

Homelab | 架构设计与实现-Low-level design --Nginx Reverse Proxy

  •  
  •   shunagliu008 · 2023-06-24 09:34:54 +08:00 · 1085 次点击
    这是一个创建于 544 天前的主题,其中的信息可能已经有所发展或是发生改变。

    一 介绍

    关于 “架构设计与实现-High-level design”篇章里,云上部分的实现重点是-Nginx Reverse Proxy ,依据策略,部分流量在“云本地”处理,部分流量通过 FRP 转发到‘Homelab’另一个本地。

    请输入图片描述

    依据上图,云上主机部署如下应用:

    1. Typecho 博客,LNMP 方式部署在宿主机上
    2. Wordpress 博客,通过 Docker 部署
    3. FRP server ,通过 Docker 部署
    4. Letsencrypt, 通过 docker 部署
    5. portainer ,通过 Docker 部署
    root@myblog:~# docker ps
    CONTAINER ID   IMAGE                           COMMAND                  CREATED        STATUS        PORTS                                          NAMES
    a943473882e5   snowdreamtech/frps              "/bin/sh -c '/usr/bi…"   5 months ago   Up 3 days                                                    frps
    83e72086e158   portainer/portainer-ce:latest   "/portainer"             5 months ago   Up 2 months   8000/tcp, 9443/tcp, 127.0.0.1:9000->9000/tcp   portainer
    05408a9f98d8   mysql:5.7                       "docker-entrypoint.s…"   5 months ago   Up 2 months   33060/tcp, 127.0.0.1:13306->3306/tcp           myblog-db-1
    2137b27bdf51   linuxserver/swag                "/init"                  5 months ago   Up 11 days    80/tcp, 443/tcp                                letsencrypt
    cb2a2593f729   wordpress:latest                "docker-entrypoint.s…"   5 months ago   Up 2 months   0.0.0.0:8001->80/tcp, :::8001->80/tcp          myblog-wordpress-1
    

    二 部署

    1 Typecho 博客,LNMP 方式部署在宿主机

    How To Install Linux, Nginx, MySQL, PHP (LNMP stack) on Ubuntu 20.04

    2 Wordpress 博客,通过 Docker 部署

    version: '2'
    
    services:
       db:
         image: mysql:5.7
         volumes:
           - db_data:/var/lib/mysql
         restart: always
         environment:
           MYSQL_ROOT_PASSWORD: ${MYSQL_DATABASE_PASSWORD:-wordpress007}
           MYSQL_DATABASE: wordpress
           MYSQL_USER: wordpress001
           MYSQL_PASSWORD: wordpress007
    
       wordpress:
         image: wordpress:latest
         ports:
           - 8001:80
         restart: always
         environment:
           WORDPRESS_DB_HOST: db:3306
           WORDPRESS_DB_USER: wordpress001
           WORDPRESS_DB_PASSWORD: wordpress007
    
    volumes:
        db_data:
    
    

    3 FRP server ,通过 Docker 部署

    docker run --restart=always --network host -d -v /root/frps.ini:/etc/frp/frps.ini --name frps snowdreamtech/frps
    

    4 Letsencrypt, 通过 docker 部署

    https://homelab.samliu.tech/archives/lets-encrypt-%E9%80%9A%E9%85%8D%E7%AC%A6%E8%AF%81%E4%B9%A6.html

    5 portainer ,通过 Docker 部署

    docker run -d --network host --name=portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:latest
    

    6 Nginx 反向代理配置

    前面依据安装好了 Nginx ,修改配置之前,需要了解下 Nginx 配置文件结构关系。 Understanding the Nginx Configuration File Structure and Configuration Contexts

    root@myblog:~# tree /etc/nginx/
    /etc/nginx/
    ├── conf.d
    │   └── ssl-nginx.conf
    ├── fastcgi.conf
    ├── fastcgi_params
    ├── koi-utf
    ├── koi-win
    ├── mime.types
    ├── modules-available
    ├── modules-enabled
    │   ├── 50-mod-http-image-filter.conf -> /usr/share/nginx/modules-available/mod-http-image-filter.conf
    │   ├── 50-mod-http-xslt-filter.conf -> /usr/share/nginx/modules-available/mod-http-xslt-filter.conf
    │   ├── 50-mod-mail.conf -> /usr/share/nginx/modules-available/mod-mail.conf
    │   └── 50-mod-stream.conf -> /usr/share/nginx/modules-available/mod-stream.conf
    ├── nginx.conf
    ├── nginx.conf.bak
    ├── nginx.conf.save
    ├── proxy_params
    ├── scgi_params
    ├── sites-available
    │   ├── default
    │   ├── http
    │   ├── http.bak
    │   ├── https
    │   └── https.bak
    ├── sites-enabled
    │   ├── http -> /etc/nginx/sites-available/http
    │   └── https -> /etc/nginx/sites-available/https
    ├── snippets
    │   ├── fastcgi-php.conf
    │   └── snakeoil.conf
    ├── uwsgi_params
    ├── win-utf
    └── wireguard.stream.conf
    
    • /etc/nginx/nginx.conf: 主配置文件,里面嵌套了多个不同路径下的子配置文件,通过 include 语句。
    root@myblog:~# more /etc/nginx/nginx.conf
    user www-data;
    worker_processes auto;
    pid /run/nginx.pid;
    include /etc/nginx/modules-enabled/*.conf;
    
    events {
            worker_connections 768;
            # multi_accept on;
    }
    
    http {
    
            ##
            # Basic Settings
            ##
            client_max_body_size 30m;
            sendfile on;
            tcp_nopush on;
            tcp_nodelay on;
            keepalive_timeout 65;
            types_hash_max_size 2048;
            # server_tokens off;
    
            server_names_hash_bucket_size 64;
            # server_name_in_redirect off;
    
            include /etc/nginx/mime.types;
            default_type application/octet-stream;
    
            ##
            # SSL Settings
            ##
    
            # ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
            # ssl_prefer_server_ciphers on;
    
            ##
            # Logging Settings
            ##
    
            access_log /var/log/nginx/access.log;
            error_log /var/log/nginx/error.log;
    
            ##
            # Gzip Settings
            ##
    
            gzip on;
    
            gzip_vary on;
            gzip_proxied any;
            gzip_comp_level 6;
            gzip_buffers 16 8k;
            gzip_http_version 1.1;
            gzip_min_length 256;
            gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
    
            ##
            # Virtual Host Configs
            ##
    
            include /etc/nginx/conf.d/*.conf;
            include /etc/nginx/sites-enabled/*;
    }
    
    #stream {
    #    include /etc/nginx/wireguard.stream.conf;
    #}
    
    #mail {
    #       # See sample authentication script at:
    #       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
    #
    #       # auth_http localhost/auth.php;
    #       # pop3_capabilities "TOP" "USER";
    #       # imap_capabilities "IMAP4rev1" "UIDPLUS";
    #
    #       server {
    #               listen     localhost:110;
    #               protocol   pop3;
    #               proxy      on;
    #       }
    #
    #       server {
    #               listen     localhost:143;
    #               protocol   imap;
    #               proxy      on;
    #       }
    #}
    
    • sites-available: 该文件夹是存放关于 HTTP 配置文件的地方,特定配置文件需要软链接到 sites-enabled 文件夹才生效
    • sites-enabled:该文件夹包括实际生效的,关于 HTTP 的所有相关配置
    • conf.d: 关于 HTTP 其他子配置文件存放地,例如 SSL 配置
    root@myblog:~# more /etc/nginx/conf.d/ssl-nginx.conf
        ########################################################################
        # from https://cipherlist.eu/                                            #
        ########################################################################
    
        ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
        ssl_prefer_server_ciphers on;
        ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
        ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
        ssl_session_timeout  10m;
        ssl_session_cache shared:SSL:10m;
        ssl_session_tickets off; # Requires nginx >= 1.5.9
        ssl_stapling on; # Requires nginx >= 1.3.7
        ssl_stapling_verify on; # Requires nginx => 1.3.7
        resolver 8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout 5s;
        # Disable preloading HSTS for now.  You can use the commented out header line that includes
        # the "preload" directive if you understand the implications.
        #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        ##################################
        # END https://cipherlist.eu/ BLOCK #
        ##################################
    
    • 关于 WEB 流量的反向代理配置,着重关注 sites-enabled 文件夹。
    root@myblog:~# more /etc/nginx/sites-enabled/http
    server {
        listen 80 default_server;
        #listen [::]:80;
        server_name _;
        return 412;
        #access_log /var/www/your_domain3/your_domain3_http.log;
    }
    
    server {
        listen 80;
        #listen [::]:80;
        server_name *.samliu.tech *.duckdns.org;
        return 301 https://$host$request_uri;
        #access_log /var/www/your_domain3/your_domain3_http.log;
    }
    

    HTTP 配置逻辑: 针对收到的 HTTP 请求,检查域名( host 字段),精确匹配条件优先于其他,因此,对于*.samliu.tech *.duckdns.org ,重定向到 HTTPS 流量;对于 server_name _,其他所有域名,返回 412 错误码。

    root@myblog:~# more /etc/nginx/sites-enabled/https
    server {
        listen 443 ssl http2 default_server;
        server_name _;
        return 412;
        ssl_certificate /root/letsencrypt-config/etc/letsencrypt/live/samliu.tech/fullchain.pem;
        ssl_certificate_key /root/letsencrypt-config/etc/letsencrypt/live/samliu.tech/privkey.pem;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
    }
    
    
    server {
        listen 185.186.146.68:9000 ssl http2;
        server_name $host;
        ssl_certificate /root/letsencrypt-config/etc/letsencrypt/live/samliu.tech/fullchain.pem;
        ssl_certificate_key /root/letsencrypt-config/etc/letsencrypt/live/samliu.tech/privkey.pem;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        #include /etc/nginx/conf.d/ssl-nginx.conf
    
        location / {
            proxy_pass http://127.0.0.1:9000;
            proxy_http_version 1.1;
            proxy_cache_bypass $http_upgrade;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "Upgrade";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
        #access_log /var/www/your_domain2/your_domain2_https.log;
    
    
    }
    
    
    server {
        listen 443 ssl http2;
        #listen [::]:443 ssl http2;
        server_name typecho.samliu.tech homelab.samliu.tech;
        root /var/www/typechooo;
        # include typecho.conf;
        index index.html index.htm index.php;
    
        ssl_certificate /root/letsencrypt-config/etc/letsencrypt/live/samliu.tech/fullchain.pem;
        ssl_certificate_key /root/letsencrypt-config/etc/letsencrypt/live/samliu.tech/privkey.pem;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        #include /etc/nginx/conf.d/ssl-nginx.conf
    
        if (!-e $request_filename) {
            rewrite ^(.*)$ /index.php$1 last;
            }
    
        location / {
            try_files $uri $uri/ =404;
            }
    
        location ~ .*\.php(\/.*)*$ {
            set $path_info "";
            set $real_script_name $fastcgi_script_name;
            if ($fastcgi_script_name ~ "^(.+?\.php)(/.+)$") {
            set $real_script_name $1;
            set $path_info $2;
            }
            fastcgi_param SCRIPT_FILENAME $document_root$real_script_name;
            fastcgi_param SCRIPT_NAME $real_script_name;
            fastcgi_param PATH_INFO $path_info;
    
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        }
    
        location ~ /\.ht {
            deny all;
        }
        #access_log /var/www/your_domain1/your_domain1_https.log;
    }
    
    
    
    
    server {
        listen 443 ssl http2;
        #listen [::]:443 ssl http2;
        server_name blog.samliu.tech;
    
        ssl_certificate /root/letsencrypt-config/etc/letsencrypt/live/samliu.tech/fullchain.pem;
        ssl_certificate_key /root/letsencrypt-config/etc/letsencrypt/live/samliu.tech/privkey.pem;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        #include /etc/nginx/conf.d/ssl-nginx.conf
    
        ########################################################################
    
        location / {
            proxy_pass http://127.0.0.1:8001;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
        #access_log /var/www/your_domain2/your_domain2_https.log;
    }
    
    
    
    server {
        listen 443 ssl http2;
        #listen [::]:443 ssl http2;
        server_name *.samliu.tech *.duckdns.org;
    
        ssl_certificate /root/letsencrypt-config/etc/letsencrypt/live/samliu.tech/fullchain.pem;
        ssl_certificate_key /root/letsencrypt-config/etc/letsencrypt/live/samliu.tech/privkey.pem;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        #include /etc/nginx/conf.d/ssl-nginx.conf
    
        ########################################################################
    
        location / {
            proxy_pass http://127.0.0.1:980;
            proxy_http_version 1.1;
            proxy_cache_bypass $http_upgrade;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "Upgrade";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
        #access_log /var/www/your_domain2/your_domain2_https.log;
    }
    
    

    HTTPS 配置逻辑: 收到 HTTPS 情况后,明细条件优先与其他,保留所有原始 HTTP header 信息以便支持 websocket 等,相同的 SSL 配置信息剥离到 /etc/nginx/conf.d/ssl-nginx.conf 。

    -listen 185.186.146.68:9000 ssl http2 匹配该 IP+端口,转发到 http://127.0.0.1:9000 ,此处为 portainer

    -typecho.samliu.tech homelab.samliu.tech 匹配该域名,转发到 Typecho 网站,root /var/www/typechooo ,此处是部署在本地的服务,非反向代理服务。

    -blog.samliu.tech 匹配该域名,转发到 http://127.0.0.1:8001 ,此处为 Wordpress 网站,docker 部署的

    -*.samliu.tech *.duckdns.org 匹配该域名,转发到 http://127.0.0.1:980 ,此处为 FRP server 服务,docker 部署的,作为二级反向代理

    -server_name _ 剩下的所有其他 HTTPS 请求,返回 return 412 错误码。 [/scode]

    三 其他 /引用

    How To Install WordPress With Docker Compose

    https://www.digitalocean.com/community/tutorials/how-to-install-wordpress-with-docker-compose

    How to Set Up SSH Keys on Ubuntu 20.04 https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys-on-ubuntu-20-04

    How To Install Linux, Nginx, MySQL, PHP (LEMP stack) on Ubuntu 20.04 https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-on-ubuntu-20-04

    How To Configure Nginx as a Web Server and Reverse Proxy for Apache on One Ubuntu 20.04 Server https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-as-a-web-server-and-reverse-proxy-for-apache-on-one-ubuntu-20-04-server

    How To Improve Website Performance Using gzip and Nginx on Ubuntu 20.04 https://www.digitalocean.com/community/tutorials/how-to-improve-website-performance-using-gzip-and-nginx-on-ubuntu-20-04

    1 条回复    2023-06-24 16:31:19 +08:00
    hanguofu
        1
    hanguofu  
       2023-06-24 16:31:19 +08:00 via Android
    写得很详细:) 请问鉴权应该在哪里实现呢?
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   3086 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 24ms · UTC 14:10 · PVG 22:10 · LAX 06:10 · JFK 09:10
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.