适用于sealos的方案 #14
Description
修改自docker
镜像:nginx
CPU和内存拉到最小
网络配置:暴露80开启公网访问
高级配置:
启动命令:/bin/bash
运行参数:/app/start.sh
环境变量:
HOSTNAME=公网访问处显示的地址
PASSWORD=自己设的密码
CONTEXT_PATH=自己设随机字符串
SSL_CERTIFICATE=/app/ssl/cert.crt
SSL_CERTIFICATE_KEY=/app/ssl/cert.key
配置文件:
- /app/ssl/cert.crt 内容任意
- /app/ssl/cert.key 内容任意
- /app/start.sh 和docker相同
cp -f '/etc/nginx/nginx-template.conf' '/etc/nginx/nginx.conf'
sed -i 's#${SSL_CERTIFICATE}#'"$SSL_CERTIFICATE"'#g' '/etc/nginx/nginx.conf'
sed -i 's#${SSL_CERTIFICATE_KEY}#'"$SSL_CERTIFICATE_KEY"'#g' '/etc/nginx/nginx.conf'
sed -i 's#${HOSTNAME}#'"$HOSTNAME"'#g' '/etc/nginx/nginx.conf'
sed -i 's#${PASSWORD}#'"$PASSWORD"'#g' '/etc/nginx/nginx.conf'
sed -i 's#${CONTEXT_PATH}#'"$CONTEXT_PATH"'#g' '/etc/nginx/nginx.conf'
nginx -g 'daemon off;'- /etc/nginx/nginx-template.conf
user nginx;
worker_processes auto;
worker_rlimit_nofile 10000;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
use epoll;
multi_accept on;
worker_connections 10240;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '[$time_local] $remote_addr "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
#gzip on;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
keepalive_timeout 65;
client_max_body_size 50m;
server {
listen 80; # 1.1版本后这样写
server_name ${HOSTNAME} ; #填写绑定证书的域名
# ssl_certificate ${SSL_CERTIFICATE}; # 指定证书的位置,绝对路径
# ssl_certificate_key ${SSL_CERTIFICATE_KEY}; # 绝对路径,同上
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; #按照这个协议配置
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;#按照这个套件配置
ssl_prefer_server_ciphers on;
client_max_body_size 50M;
client_body_buffer_size 10M;
location ^~/${CONTEXT_PATH}/ {
resolver 1.1.1.1 ipv6=off;
if ( $http_dspassword != '${PASSWORD}' ){
return 403;
}
set $_full_uri $uri$is_args$args;
if ( $_full_uri ~ /${CONTEXT_PATH}/([^/]+)/(.*) ){
set $_host $1;
set $_uri $2;
}
if ( $scheme = "http" ){
set $new_scheme "https";
}
proxy_pass $new_scheme://$_host/$_uri;
proxy_redirect https://${HOSTNAME}/${CONTEXT_PATH}/ /;
proxy_buffer_size 64k;
proxy_buffers 64 64k;
proxy_busy_buffers_size 1m;
proxy_temp_file_write_size 512k;
proxy_max_temp_file_size 128m;
# proxy_set_header referer $scheme://$_host; 要去掉
proxy_set_header Host $_host;
proxy_ssl_server_name on;
proxy_set_header dspassword '';
}
location /${CONTEXT_PATH}/robots.txt {
resolver 1.1.1.1;
deny all;
}
location / {
resolver 1.1.1.1;
deny all;
}
}
include /etc/nginx/conf.d/*.conf;
}
已知bug:无法访问仅http的网页