前几天弄到了DigitalOcean的一百刀的Credit,于是乎开了一台新加坡的vps,本来没想着速度能有多快,搭完Trojan-go之后发现速度还可以,而且配置也正好足够,甚至有1T的Transfer想着光搭代理有点浪费,于是再放个网站吧。
前一段时间用腾讯云函数搭的OneManger网盘,一直感觉加载速度太慢,于是这次便尝试部署到服务器上,不过这一部署,果然又踩了不少坑(头秃
首先搜索一番之后找到了这篇文章:在Nginx上配置多个站点
于是我在/var/www目录下把OneManager的源码克隆到cloud目录,在/etc/nginx/conf.d下新建了一个cloud.conf,编辑内容如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| server {
listen 80;
server_name www.site.com;
root /home/user/www/blog;
index index.html index.htm index.php;
location / {
if (!-e $request_filename) {
rewrite (.*) /index.php;
}
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
}
|
然后想起来我为原先网盘域名弄了SSL证书,干脆开启SSL模式和强制https算了,于是又找到了这篇文章:Nginx 安装 SSL 配置 HTTPS 超详细完整教程全过程
之前证书一直托管在腾讯云,因为函数可以直接使用,下载之后是几个文件夹,里面包含了不同http服务器会用的证书格式:
我服务器只装了Nginx,这里只需要把Nginx文件夹通过scp传到服务器上就行了。
1
| scp -r Nginx root@xxxx:/root/certs
|
然后接着修改cloud.conf:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
| server {
listen 443;
ssl on;
ssl_certificate /root/certs/nginx/xxx.cert;
ssl_certificate_key /root/certs/nginx/xxx.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
server_name www.site.com;
root /home/user/www/blog;
index index.html index.htm index.php;
location / {
if (!-e $request_filename) {
rewrite (.*) /index.php;
}
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
}
}
|
接着在nginx.conf里引入:include /etc/nginx/conf.d/cloud.conf
看到配置的下面有个php的处理才想起来我php环境还没装,而OneManager是php写的,于是又去搜索了php的配置文章,搜索结果翻了半天,终于找到一篇差不多能看懂的文章:ubuntu安装php7.2,php-fpm[ubuntu部署]
照着文章说的,把/etc/php/7.2/fpm/pool.d/www.conf中的listen改为listen = 127.0.0.1:9000使其监听9000端口即可。
然后运行nginx -t测试,没有报错,OK,反手就是一个service nginx reload
启动报错:无法绑定443端口…
这才想起来,原来443端口一直被trojan占用着…
于是干脆打开谷歌,搜索端口共存的文章,然后找到了Nginx和Trojan共存443端口这篇文章。
大概读了一下,就是让nginx的网站和trojan都不监听443端口,把443端口交给nginx的stream同一处理,根据host来反向代理到对应服务的端口。
了解原理之后,开始修改nginx配置文件:(只写了增加的部分)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| stream {
map $ssl_preread_server_name $backend_name {
a.revincx.icu web;
b.revincx.icu trojan;
default web;
}
upstream web {
server 127.0.0.1:10491;
}
upstream trojan {
server 127.0.0.1:10492;
}
server {
listen 443 reuseport;
listen [::]:443 reuseport;
proxy_pass $backend_name;
ssl_preread on;
}
}
|
然后trojan1的配置文件也要改,这里一开始没找到服务端配置在哪,最后干脆全局搜索,原来在/usr/local/trojan里面。不按常理出牌…
修改config.json:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
| {
"run_type": "server",
"local_addr": "127.0.0.1",
"local_port": 10492,
"remote_addr": "127.0.0.1",
"remote_port": 80,
"password": [
"password"
],
"log_level": 3,
"ssl": {
"cert": "证书地址.crt",
"key": "证书地址.key",
"key_password": "",
"cipher": "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384",
"cipher_tls13": "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384",
"prefer_server_cipher": true,
"alpn": [
"http/1.1"
],
"alpn_port_override": {
"h2": 81
},
"reuse_session": true,
"session_ticket": false,
"session_timeout": 600,
"plain_http_response": "",
"curves": "",
"dhparam": ""
},
"tcp": {
"prefer_ipv4": false,
"no_delay": true,
"keep_alive": true,
"reuse_port": false,
"fast_open": false,
"fast_open_qlen": 20
},
"mysql": {
"enabled": false,
"server_addr": "127.0.0.1",
"server_port": 3306,
"database": "trojan",
"username": "trojan",
"password": "",
"cafile": ""
}
}
|
然后重启trojan服务:service trojan restart
启动Nginx:service nginx reload
没想到吧,又报错了~,没事,反正老子心态好,看下log是找不到stream转发模块,谷歌搜了一下,原来stream是Nginx的一个插件,需要引入一下。
编辑nginx.conf,在最前面加上:
1
| load_module /usr/lib/nginx/modules/ngx_stream_module.so;
|
退出,重启nginx,终于没报错了,看了一下网站和代理都在正常运行,美滋滋~
