一种基于nginx的反向代理策略

DNS

通过域名服务商，配置一个记录类型为"A"的解析，记录值为服务器的公网IP。

nginx

然后在服务器上启动nginx。

提前启动nginx的原因，是为下一步的证书申请做准备。
启动nginx后，我们在浏览器输入域名，理论上应该能看到如下的网页。

如果看不到，除了DNS的配置、nginx的配置外，其他可能的原因有：

• 云服务商的网络策略
  通过云服务商的管理页面调整
• 虚拟机的防火墙策略

证书

证书申请

通过win-acme申请证书。
官网：https://www.win-acme.com
双击wacs.exe即可运行。

A simple Windows ACMEv2 client (WACS)
Software version 2.2.2.1449 (release, trimmed, standalone, 64-bit)
Connecting to https://acme-v02.api.letsencrypt.org/...
Connection OK!
Scheduled task looks healthy
Please report issues at https://github.com/win-acme/win-acme

N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (0 currently due)
A: Manage renewals (1 total)
O: More options...
Q: Quit

Please choose from the menu: m

• 选择m，完全自行设定。

Running in mode: Interactive, Advanced
Source plugin IIS not available: No supported version of IIS detected.

Please specify how the list of domain names that will be included in the
certificate should be determined. If you choose for one of the "all bindings"
options, the list will automatically be updated for future renewals to
reflect the bindings at that time.

1: Read bindings from IIS
2: Manual input
3: CSR created by another program
C: Abort

How shall we determine the domain(s) to include in the certificate?: 2

• 选择2，手工输入。

Description:        A host name to get a certificate for. This may be a
                    comma-separated list.

Host: 【域名】

• 输入域名

Source generated using plugin Manual: 【域名】

Friendly name '[Manual] 【域名】'. <Enter> to accept or type desired name: <Enter>

• 确认域名，如果无误，直接回车即可。

By default your source identifiers are covered by a single certificate. But
if you want to avoid the 100 domain limit, want to prevent information
disclosure via the SAN list, and/or reduce the operational impact of a single
validation failure, you may choose to convert one source into multiple
certificates, using different strategies.

1: Separate certificate for each domain (e.g. *.example.com)
2: Separate certificate for each host (e.g. sub.example.com)
3: Separate certificate for each IIS site
4: Single certificate
C: Abort

Would you like to split this source into multiple certificates?: 4

• 选择申请的证书的类型，这里选择4即可。

The ACME server will need to verify that you are the owner of the domain
names that you are requesting the certificate for. This happens both during
initial setup *and* for every future renewal. There are two main methods of
doing so: answering specific http requests (http-01) or create specific dns
records (dns-01). For wildcard identifiers the latter is the only option.
Various additional plugins are available from
https://github.com/win-acme/win-acme/.

1: [http] Save verification files on (network) path
2: [http] Serve verification files from memory
3: [http] Upload verification files via FTP(S)
4: [http] Upload verification files via SSH-FTP
5: [http] Upload verification files via WebDav
6: [dns] Create verification records manually (auto-renew not possible)
7: [dns] Create verification records with acme-dns (https://github.com/joohoi/acme-dns)
8: [dns] Create verification records with your own script
9: [tls-alpn] Answer TLS verification request from win-acme
C: Abort

How would you like prove ownership for the domain(s)?: 1

• 选择1，通过本地文件的方式验证。

Description:        Root path of the site that will serve the HTTP validation
                    requests.

Path: C:\APP\nginx-1.22.1\html

• 输入本地文件的根目录
  这也是为什么要提前启动nginx的原因。如果nginx没有启动成功，win-acme的验证会失败。

Description:        Copy default web.config to the .well-known directory.
Default:            False
Argument:           False (press <Enter> to use this)

Copy default web.config before validation? (y/n*) - no

• 在验证之前，不保存默认的配置。

After ownership of the domain(s) has been proven, we will create a
Certificate Signing Request (CSR) to obtain the actual certificate. The CSR
determines properties of the certificate like which (type of) key to use. If
you are not sure what to pick here, RSA is the safe default.

1: Elliptic Curve key
2: RSA key
C: Abort

What kind of private key should be used for the certificate?: 1

• 私钥类型，选择第一种。

When we have the certificate, you can store in one or more ways to make it
accessible to your applications. The Windows Certificate Store is the default
location for IIS (unless you are managing a cluster of them).

1: IIS Central Certificate Store (.pfx per host)
2: PEM encoded files (Apache, nginx, etc.)
3: PFX archive
4: Windows Certificate Store (Local Computer)
5: No (additional) store steps

How would you like to store the certificate?: 2

• 证书类型，因为我们是为nginx申请证书，所以选择第二种。

Description:        .pem files are exported to this folder.

File path: C:\APP\ssl

• 证书保存地址

Description:        Password to set for the private key .pem file.

1: None
2: Type/paste in console
3: Search in vault

Choose from the menu: 1

• 私钥是否设置密码，这里选择None，不设置。

之后的很多操作，直接选择默认值即可。

证书配置

通过上述步骤，我们会得到如下四个文件。

• chain.pem
• chain-only.pem
• crt.pem
• key.pem

我们需要的是chain.pem和key.pem。

修改nginx的conf的nginx.conf文件。

worker_processes  1;
events {
    worker_connections  1024;
}
http {
    server {
       listen 443 ssl http2;

       server_name 【域名】;
       ssl_certificate       【chain.pem的绝对路径】;
       ssl_certificate_key   【key.pem的绝对路径】;
       
       ssl_protocols         TLSv1.2 TLSv1.3;
       ssl_ciphers           ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
       ssl_prefer_server_ciphers off;

       location / {
           proxy_pass https://【被反代的域名】;
           proxy_ssl_server_name on;
           proxy_redirect off;
           sub_filter_once off;
           sub_filter "【被反代的域名】" $server_name;
           proxy_set_header Host "【被反代的域名】";
           proxy_set_header Referer $http_referer;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header User-Agent $http_user_agent;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto https;
           proxy_set_header Accept-Encoding "";
           proxy_set_header Accept-Language "zh-CN";
       }


       location /r {
           proxy_redirect off;
           proxy_pass http://127.0.0.1:【端口】;
           proxy_http_version 1.1;
           proxy_set_header Upgrade $http_upgrade;
           proxy_set_header Connection "upgrade";
           proxy_set_header Host $host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       }
    }

    server {
        listen 80;

        location /.well-known/ {
               root   html;
            }
        location / {
            rewrite ^(.*)$ https://$host$1 permanent;
            }
    }

}

V2

Github地址：

服务端配置，config.json：

客户端配置：

解释说明：

• 服务端配置的ws对应客户端配置的websocket。
• 服务端配置的/r对应客户端配置的/r，对应nginx配置的location /r。
• 服务端配置的listen和port对应nginx的location /r的proxy_pass。