diff --git a/resources/conf/nginx.conf b/resources/conf/nginx.conf index 29bc085..f333ab1 100644 --- a/resources/conf/nginx.conf +++ b/resources/conf/nginx.conf @@ -1,6 +1,6 @@ -#user nobody; -worker_processes 1; +user root; +worker_processes 4; #error_log logs/error.log; #error_log logs/error.log notice; @@ -30,7 +30,457 @@ http { #keepalive_timeout 0; keepalive_timeout 65; - #gzip on; + gzip on; + upstream local { + server 127.0.0.1:8081; + } + + upstream twikoo { + server 127.0.0.1:8084; + } + upstream frp_http_proxy { + server 127.0.0.1:8085; + } + + upstream frp_https_proxy { + server 127.0.0.1:8086; + } + + upstream frp_board { + server 127.0.0.1:8087; + } + + upstream meilisearch { + server 127.0.0.1:7700; + } + + server { + listen 443 ssl; + server_name gitea.amass.fun; + ssl_certificate /etc/letsencrypt/live/gitea.amass.fun/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/gitea.amass.fun/privkey.pem; + location / { + client_max_body_size 512M; + proxy_pass http://frp_http_proxy; + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + } + + server { + listen 443 ssl; + server_name unraid.amass.fun; + + client_header_timeout 120s; + client_body_timeout 120s; + client_max_body_size 512m; #上传文件最大支持512m + + ssl_certificate /etc/letsencrypt/live/unraid.amass.fun/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/unraid.amass.fun/privkey.pem; + ssl_session_timeout 5m; #缓存有效期 + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #加密算法 + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #安全链接可选的加密协议 + ssl_prefer_server_ciphers on; #使用服务器端的首选算法 + + location / { + proxy_http_version 1.1; + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header x-wiz-real-ip $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://frp_http_proxy; + # access_by_lua_file lua/authentication.lua; + } + } + + server { + listen 443 ssl; + server_name pve.amass.fun; + + client_header_timeout 120s; + client_body_timeout 120s; + client_max_body_size 512m; #上传文件最大支持512m + + ssl_certificate /etc/letsencrypt/live/pve.amass.fun/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/pve.amass.fun/privkey.pem; + ssl_session_timeout 5m; #缓存有效期 + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #加密算法 + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #安全链接可选的加密协议 + ssl_prefer_server_ciphers on; #使用服务器端的首选算法 + + location / { + proxy_http_version 1.1; + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header x-wiz-real-ip $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_ssl_server_name on; + proxy_ssl_name $host; + proxy_pass https://frp_https_proxy; + } + } + + server { + listen 443 ssl; + server_name iot.amass.fun; + + client_header_timeout 120s; + client_body_timeout 120s; + + ssl_certificate /etc/letsencrypt/live/iot.amass.fun/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/iot.amass.fun/privkey.pem; + ssl_session_timeout 5m; #缓存有效期 + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #加密算法 + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #安全链接可选的加密协议 + ssl_prefer_server_ciphers on; #使用服务器端的首选算法 + + location / { + proxy_http_version 1.1; + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header x-wiz-real-ip $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://frp_http_proxy; + } + } + + server { + listen 443 ssl; + server_name cloud.amass.fun; + + client_header_timeout 120s; + client_body_timeout 120s; + client_max_body_size 512m; #上传文件最大支持512m + + ssl_certificate /etc/letsencrypt/live/cloud.amass.fun/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/cloud.amass.fun/privkey.pem; + ssl_session_timeout 5m; #缓存有效期 + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #加密算法 + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #安全链接可选的加密协议 + ssl_prefer_server_ciphers on; #使用服务器端的首选算法 + + location / { + proxy_http_version 1.1; + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header x-wiz-real-ip $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_ssl_server_name on; + proxy_ssl_name $host; + proxy_pass https://frp_https_proxy; + } + } + + server { + listen 443 ssl; + server_name office.amass.fun; + + client_header_timeout 120s; + client_body_timeout 120s; + client_max_body_size 512m; #上传文件最大支持512m + + ssl_certificate /etc/letsencrypt/live/office.amass.fun/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/office.amass.fun/privkey.pem; + ssl_session_timeout 5m; #缓存有效期 + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #加密算法 + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #安全链接可选的加密协议 + ssl_prefer_server_ciphers on; #使用服务器端的首选算法 + + location / { + proxy_http_version 1.1; + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header x-wiz-real-ip $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_ssl_server_name on; + proxy_ssl_name $host; + proxy_pass https://frp_https_proxy; + } + } + + server { + listen 443 ssl; + server_name code.amass.fun; + + client_header_timeout 120s; + client_body_timeout 120s; + + ssl_certificate /etc/letsencrypt/live/code.amass.fun/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/code.amass.fun/privkey.pem; + ssl_session_timeout 5m; #缓存有效期 + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #加密算法 + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #安全链接可选的加密协议 + ssl_prefer_server_ciphers on; #使用服务器端的首选算法 + + location / { + proxy_http_version 1.1; + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header x-wiz-real-ip $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://frp_http_proxy; + } + } + + server { + listen 443 ssl; + server_name photos.amass.fun; + + client_header_timeout 120s; + client_body_timeout 120s; + client_max_body_size 100m; + + ssl_certificate /etc/letsencrypt/live/photos.amass.fun/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/photos.amass.fun/privkey.pem; + ssl_session_timeout 5m; #缓存有效期 + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #加密算法 + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #安全链接可选的加密协议 + ssl_prefer_server_ciphers on; #使用服务器端的首选算法 + + location / { + proxy_http_version 1.1; + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header x-wiz-real-ip $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://frp_http_proxy; + } + } + + server { + listen 443 ssl; + server_name money.amass.fun; + + client_header_timeout 120s; + client_body_timeout 120s; + + ssl_certificate /etc/letsencrypt/live/money.amass.fun/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/money.amass.fun/privkey.pem; + ssl_session_timeout 5m; #缓存有效期 + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #加密算法 + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #安全链接可选的加密协议 + ssl_prefer_server_ciphers on; #使用服务器端的首选算法 + + location / { + proxy_http_version 1.1; + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header x-wiz-real-ip $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://frp_http_proxy; + } + } + + server { + listen 443 ssl; + server_name emoney.amass.fun; + + client_header_timeout 120s; + client_body_timeout 120s; + + ssl_certificate /etc/letsencrypt/live/emoney.amass.fun/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/emoney.amass.fun/privkey.pem; + ssl_session_timeout 5m; #缓存有效期 + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #加密算法 + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #安全链接可选的加密协议 + ssl_prefer_server_ciphers on; #使用服务器端的首选算法 + + location / { + proxy_http_version 1.1; + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header x-wiz-real-ip $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://frp_http_proxy; + } + } + + server { + listen 443 ssl; + server_name jellyfin.amass.fun; + + client_header_timeout 120s; + client_body_timeout 120s; + client_max_body_size 100m; + + ssl_certificate /etc/letsencrypt/live/jellyfin.amass.fun/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/jellyfin.amass.fun/privkey.pem; + ssl_session_timeout 5m; #缓存有效期 + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #加密算法 + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #安全链接可选的加密协议 + ssl_prefer_server_ciphers on; #使用服务器端的首选算法 + + location / { + proxy_http_version 1.1; + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header x-wiz-real-ip $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://frp_http_proxy; + } + } + + server { + listen 443 ssl; + server_name reader.amass.fun; + + client_header_timeout 120s; + client_body_timeout 120s; + client_max_body_size 100m; + + ssl_certificate /etc/letsencrypt/live/reader.amass.fun/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/reader.amass.fun/privkey.pem; + ssl_session_timeout 5m; #缓存有效期 + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #加密算法 + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #安全链接可选的加密协议 + ssl_prefer_server_ciphers on; #使用服务器端的首选算法 + + location / { + proxy_http_version 1.1; + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header x-wiz-real-ip $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://frp_http_proxy; + } + } + + server { + listen 443 ssl; + server_name music.amass.fun; + + client_header_timeout 120s; + client_body_timeout 120s; + client_max_body_size 100m; + + ssl_certificate /etc/letsencrypt/live/music.amass.fun/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/music.amass.fun/privkey.pem; + ssl_session_timeout 5m; #缓存有效期 + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #加密算法 + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #安全链接可选的加密协议 + ssl_prefer_server_ciphers on; #使用服务器端的首选算法 + + location / { + proxy_http_version 1.1; + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header x-wiz-real-ip $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://frp_http_proxy; + } + } + + server { + listen 443 ssl; + server_name home.amass.fun; + + client_header_timeout 120s; + client_body_timeout 120s; + + ssl_certificate /etc/letsencrypt/live/home.amass.fun/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/home.amass.fun/privkey.pem; + ssl_session_timeout 5m; #缓存有效期 + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #加密算法 + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #安全链接可选的加密协议 + ssl_prefer_server_ciphers on; #使用服务器端的首选算法 + + location / { + proxy_http_version 1.1; + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header x-wiz-real-ip $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://frp_http_proxy; + } + } + + server { + listen 443 ssl; + server_name notes.amass.fun; + + client_header_timeout 120s; + client_body_timeout 120s; + + ssl_certificate /etc/letsencrypt/live/notes.amass.fun/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/notes.amass.fun/privkey.pem; + ssl_session_timeout 5m; #缓存有效期 + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #加密算法 + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #安全链接可选的加密协议 + ssl_prefer_server_ciphers on; #使用服务器端的首选算法 + + underscores_in_headers on; + # proxy_pass_request_headers on; + + location / { + proxy_http_version 1.1; + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header x-wiz-real-ip $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://frp_http_proxy; + } + } + + server { + listen 80; + server_name notes.amass.fun; + return 301 https://$host$request_uri; + } + + server { + listen 443 ssl; + http2 on; + server_name amass.fun; + ssl_certificate /etc/letsencrypt/live/amass.fun/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/amass.fun/privkey.pem; + include server.conf; + } server { listen 80; diff --git a/resources/conf/server.conf b/resources/conf/server.conf new file mode 100644 index 0000000..f41f78f --- /dev/null +++ b/resources/conf/server.conf @@ -0,0 +1,100 @@ +# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + +ssl_session_timeout 1d; +ssl_session_cache shared:MozSSL:10m; +ssl_session_tickets off; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; #安全链接可选的加密协议 +ssl_prefer_server_ciphers off; + +location / { + root amass_blog; + index index.html index.htm; + add_header X-Content-Type-Options "nosniff"; +} + +location = /api/v1/search/reindex { + proxy_pass http://local; +} + +location ^~ /api/v1/search/ { + proxy_pass http://meilisearch/; +} + +location ~ ^/api/v1/.*$ { + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header x-wiz-real-ip $remote_addr; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_pass http://local; +} + +location ~ ^/lvgl/.+$ { + root amass_blog; + index index.html index.htm; + try_files /lvgl/index.html =404; +} + +location ^~ /api/v1/freedom { + if ($http_upgrade != "websocket") { # WebSocket协商失败时返回404 + return 404; + } + proxy_redirect off; + proxy_pass http://127.0.0.1:8089; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + # Show real IP in v2ray access.log + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +} + +location ^~ /freedom { + if ($content_type !~ "^application/grpc") { + return 402; + } + client_max_body_size 0; + client_body_buffer_size 512k; + grpc_set_header X-Real-IP $remote_addr; + client_body_timeout 1w; + grpc_read_timeout 1w; + grpc_send_timeout 1w; + grpc_pass unix:/dev/shm/Freedom-gRPC.socket; +} + +location ~ /notify.*$ { + proxy_pass http://local; +} + +#error_page 404 /404.html; + +# redirect server error pages to the static page /50x.html +# +error_page 500 502 503 504 /404.html; +location = /404.html { + root amass_blog; +} + +location /wechat { + proxy_pass http://local; +} + +location /twikoo { + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://twikoo; +} + +location /frp/ { + proxy_pass http://frp_board/; + proxy_redirect /static/ /frp/static/; +}