如果返回的结果中含有 --with-stream和--with-stream_ssl_preread_module,就说明这两个模块已经被编译进了Nginx;否则则需要自己重新编译Nginx。
修改 Ngnix 默认配置
vi /etc/nginx/nginx.conf
加入转发模块
在配置文件底部加上如下转发模块(他人的):
# stream模块设置
stream {
# SNI识别,将一个个域名映射成一个配置名
map $ssl_preread_server_name $stream_map {
website.example.com web;
xtls.example.com beforextls;# 注意这里修改了
}
# upstream,也就是流量上游的配置
upstream beforextls {
server 127.0.0.1:7999;
}
upstream xtls {
server 127.0.0.1:9000;
}
upstream web {
server 127.0.0.1:443;
}
# stream模块监听服务器公网IP443端口,并进行端口复用
server {
listen [服务器公网IP]:443 reuseport;
proxy_pass $stream_map;
ssl_preread on;
proxy_protocol on; # 开启Proxy protocol
}
server {
listen 127.0.0.1:7999 proxy_protocol;# 开启Proxy protocol
proxy_pass xtls; # 以真实的XTLS作为上游,这一层是与XTLS交互的“媒人”
}
}
自定义:
stream {
map $ssl_preread_server_name $stream_map {
bore.vip web;
www.bore.vip web1;
p.bore.vip beforextls;
}
upstream beforextls {
server 127.0.0.1:7999;
}
upstream xtls {
server 127.0.0.1:9000;
}
upstream web {
server 127.0.0.1:443;
}
upstream web1 {
server 127.0.0.1:443;
}
server {
listen [服务器公网IP]:443 reuseport;
proxy_pass $stream_map;
ssl_preread on;
proxy_protocol on;
}
server {
listen 127.0.0.1:7999 proxy_protocol;
proxy_pass xtls;
}
}
修改xr端口为
9000
修改web服务器配置:
vi /etc/nginx/conf.d/halo.conf
他人的:
# Web服务器的配置
server {
listen 80;# 我们只对443端口进行SNI分流,80端口依旧做Web服务;SNI分流也只能在443端口上跑TLS流量才能分流
listen 127.0.0.1:443 ssl http2 proxy_protocol;# 监听本地443端口,要和上面的stream模块配置中的upstream配置对的上,开启Proxy protocol
......
if ($ssl_protocol = "") {
return 301 https://$host$request_uri;
}
index index.html index.htm index.php;
try_files $uri $uri/ /index.php?$args;
set_real_ip_from 127.0.0.1;# 从Proxy protocol获取真实IP
real_ip_header proxy_protocol;
......
}
自定义:
upstream halo {
server 127.0.0.1:8090;
}
server {
listen 80;
listen [::]:80;
listen 127.0.0.1:443 ssl http2 proxy_protocol;
listen [::]:443 ssl http2;
server_name bore.vip www.bore.vip;
if ($host != 'bore.vip' ) {
rewrite ^/(.*)$ https://bore.vip/$1 permanent;
}
client_max_body_size 1024m;
ssl_certificate /etc/nginx/cert/bore.vip.pem;
ssl_certificate_key /etc/nginx/cert/bore.vip.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_buffer_size 1400;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
access_log /data/wwwlogs/bore.vip_nginx.log combined;
index index.html index.htm index.php;
root /data/wwwroot/bore.vip;
if ($ssl_protocol = "") { return 301 https://$host$request_uri; }
#error_page 404 /404.html;
#error_page 502 /502.html;
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
proxy_pass http://halo;
expires 30d;
access_log off;
}
location ~ .*\.(js|css)?$ {
proxy_pass http://halo;
expires 7d;
access_log off;
}
location ~ /(\.user\.ini|\.ht|\.git|\.svn|\.project|LICENSE|README\.md) {
deny all;
}
location / {
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://halo;
}
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
allow all;
root /data/wwwroot/bore.vip/;
}
}
重启nginx、xr
systemctl restart nginx
重启xr省略
没有评论:
发表评论