处理后端-网络通畅-笔录
- LINUX后端笔记
- 29天前
- 57热度
- 0评论
升级Linux 改为 windows
# DD Windows10 2021LTSC 64位 企业深度精简版 [账户Administrator密码nat.ee]
wget --no-check-certificate -qO InstallNET.sh 'https://sunpma.com/other/oss/InstallNET.sh' && bash InstallNET.sh -dd 'https://oss.sunpma.com/Windows/Win10_2021LTSC_64_Administrator_nat.ee.gz'
https://sunpma.com/137.html#%E5%85%B3%E4%BA%8E%E6%BF%80%E6%B4%BB
解决Debian 11 apt-get更新错误
先来备份一下原版的sources.list文件
mv /etc/apt/sources.list /etc/apt/sources.list.old
然后替换一下官方源
cat > /etc/apt/sources.list << EOF
deb http://deb.debian.org/debian/ bullseye main contrib non-free
deb-src http://deb.debian.org/debian/ bullseye main contrib non-free
deb http://deb.debian.org/debian/ bullseye-updates main contrib non-free
deb-src http://deb.debian.org/debian/ bullseye-updates main contrib non-free
deb http://deb.debian.org/debian/ bullseye-backports main contrib non-free
deb-src http://deb.debian.org/debian/ bullseye-backports main contrib non-free
deb http://deb.debian.org/debian-security/ bullseye-security main contrib non-free
deb-src http://deb.debian.org/debian-security/ bullseye-security main contrib non-free
EOF
ref www.xxhjkl.me/?p=652
win10 解决多用户同时远程连接教程
https://blog.csdn.net/fallingflower/article/details/125215235
UOS创建脚本注册为系统服务
1.cd /usr/lib/systemd/system/目录下新建demo.service
vi demo.service
[Unit]
Description=demo Service
[Service]
Type=simple
ExecStart=/bin/bash /home/test.sh
MemoryAccounting=true
MemoryLimit=200M
[Install]
WantedBy=multi-user.target
脚本文件示例如下:
vi /home/test.sh
#!/bin/bash
x=0
while [ True ];do
x=$x+1
done;
2.重载系统服务 systemctl daemon-reload
3.设置开机启动 systemctl enable demo
4.启动服务 systemctl start demo
5.查询服务状态 systemctl status demo
6.停止服务 systemctl stop demo
7.禁止开机启动 systemctl disable demo
Debian包管理的常用命令
apt-get update -> apt update
apt-get upgrade -> apt upgrade
apt-get dist-upgrade -> apt full-upgrade
apt-get install 软件包 -> apt install 软件包
apt-get remove 软件包 -> apt remove 软件包
apt-get autoremove -> apt autoremove
apt-cache search 字符串 -> apt search 字符串
apt-cache policy 软件包 -> apt list -a 软件包
apt-cache show 软件包 -> apt show 软件包
apt-cache showpkg 软件包 -> apt show -a 软件包
卸载软件包 foo 和它的配置文件 apt purge foo
apt search 词语
apt show 软件包
apt-cache depends 软件包
apt-cache showpkg 软件包
列出所有选项:dpkg --help。
打印指定的软件包的控制文件(和其他信息):dpkg --info foo_VVV-RRR.deb
安装软件包(包括解压缩和配置)到硬盘上的文件系统中:dpkg --install foo_VVV-RRR.deb
解压缩(但不配置)Debian 档案到硬盘上的文件系统中:
dpkg --unpack foo_VVV-RRR.deb。
注意,经过这一操作的软件包不一定可以使用;
有些文件可能需要进一步配置才可以正常运行。
这一命令会卸载该程序的任何已经安装的版本,
并执行软件包的 preinst(参见第 7.6 节 “什么是 Debian preinst、postinst、prerm,
和 postrm 脚本?”)脚本。
配置一个已经被解压缩的软件包:dpkg --configure foo。
这一命令会执行软件包的 postinst(参见第 7.6 节 “什么是 Debian preinst、
postinst、prerm,和 postrm 脚本?”)脚本,并执行一些其他操作。
这一命令也会更新软件包的 conffiles 列出的文件。
注意“configure”操作的参数是软件包名(例如 foo),
不是 Debian 档案文件名(例如 foo_VVV-RRR.deb)
从 Debian 档案中解压一个名为“blurf”的文件(或一组名为“blurf*”的文件):
dpkg --fsys-tarfile foo_VVV-RRR.deb | tar -xf - 'blurf*'
卸载一个软件包(但不包括配置文件):dpkg --remove foo
卸载一个软件包(包括配置文件):dpkg --purge foo
列出包含字符串(或正则表达式)“foo*”的软件包的安装状态:dpkg --list 'foo*'
参考
www.debian.org/doc/manuals/debian-faq/pkgtools.zh-cn.html
www.myfreax.com/how-to-list-installed-packages-on-debian/
Nginx异常排除
解决报错 listen . http2 directive is deprecated
如果Nginx1.25.1及以后版本中,进行如下方式的配置:
listen 443 ssl http2;
listen [::]:443 ssl http2;
此时,将对应的配置修改为如下方式即可:Nginx 1.25.1更新日志, “http2” 指令支持在每个服务器上启用 HTTP/2,“listen” 指令的 “http2” 参数已被弃用
listen 443 ssl;
listen [::]:443 ssl;
refer: blog.csdn.net/wo541075754/article/details/132722406
NGINX 官方的标准安装方式
参考地址:
http://nginx.org/en/linux_packages.html#Debian
Install the prerequisites:
sudo apt install curl gnupg2 ca-certificates lsb-release debian-archive-keyring
Import an official nginx signing key so apt could verify the packages authenticity. Fetch the key:
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
Verify that the downloaded file contains the proper key:
gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg
The output should contain the full fingerprint 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 as follows:
pub rsa2048 2011-08-19 [SC] [expires: 2024-06-14]
573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
uid nginx signing key <signing-key@nginx.com>
If the fingerprint is different, remove the file.
To set up the apt repository for stable nginx packages, run the following command:
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/debian `lsb_release -cs` nginx" \
| sudo tee /etc/apt/sources.list.d/nginx.list
If you would like to use mainline nginx packages, run the following command instead:
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/mainline/debian `lsb_release -cs` nginx" \
| sudo tee /etc/apt/sources.list.d/nginx.list
Set up repository pinning to prefer our packages over distribution-provided ones:
echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \
| sudo tee /etc/apt/preferences.d/99nginx
To install nginx, run the following commands:
sudo apt update
sudo apt install nginx
nginx添加stream模块TCP转发
官方安装后,模块全,检查,是否包含了 stream模块的 tls+tcp的模块
root@piazza-hongkong:/var/www/10086.services/wp-content/uploads/2018/08# nginx -V
nginx version: nginx/1.25.5
built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
built with OpenSSL 1.1.1n 15 Mar 2022 (running with OpenSSL 1.1.1w 11 Sep 2023)
TLS SNI support enabled
configure arguments:
--prefix=/etc/nginx
--sbin-path=/usr/sbin/nginx
--modules-path=/usr/lib/nginx/modules
--conf-path=/etc/nginx/nginx.conf
--error-log-path=/var/log/nginx/error.log
--http-log-path=/var/log/nginx/access.log
--pid-path=/var/run/nginx.pid
--lock-path=/var/run/nginx.lock
--http-client-body-temp-path=/var/cache/nginx/client_temp
--http-proxy-temp-path=/var/cache/nginx/proxy_temp
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
--http-scgi-temp-path=/var/cache/nginx/scgi_temp
--user=nginx
--group=nginx
--with-compat
--with-file-aio
--with-threads
--with-http_addition_module
--with-http_auth_request_module
--with-http_dav_module
--with-http_flv_module
--with-http_gunzip_module
--with-http_gzip_static_module
--with-http_mp4_module
--with-http_random_index_module
--with-http_realip_module
--with-http_secure_link_module
--with-http_slice_module
--with-http_ssl_module
--with-http_stub_status_module
--with-http_sub_module
--with-http_v2_module
--with-http_v3_module
--with-mail
--with-mail_ssl_module
--with-stream
--with-stream_realip_module
--with-stream_ssl_module
--with-stream_ssl_preread_module
--with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.25.5/debian/debuild-base/nginx-1.25.5=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC'
--with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'
经过以上检查完整包含了stream模块
--with-stream
--with-stream_realip_module
--with-stream_ssl_module
--with-stream_ssl_preread_module
也包含了完整的http1,http2,http3模块
--with-http_v2_module
--with-http_v3_modul
参考: appscross.com/2023/08/nginx-adds-stream-module-to-support-tcp/
关于模块动态加载还是其他
激活 Debian 上安装的 Nginx 的 Stream 模块来支持转发 TCP 和 UDP 请求
Nginx 配置使用GeoIP2
GeoIP2简介
GeoLite2 数据库由几部分组成:GeoLite2 国家库、GeoLite2 城市库和 Geolite2 ASN。他们分别满足不同的功能,GeoLite2 国家库仅能查询 IP 地址所在的国家和洲;GeoLite2 城市库可以查询到 IP 地址所在的国家、地区、城市、经纬度和邮政编码等信息;Geolite2 ASN 用于查询IP地址所属的自治域 AS 或者运营商 ISP。
Nginx Stream 负载均衡
user www-data;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
stream {
# 这里就是 SNI 识别,将域名映射成一个配置名,请修改自己的一级域名
map $ssl_preread_server_name $sni_name {
你的一级域名 web;
你的二级域名 naive;
# 域名都不匹配情况下的默认值
default web;
}
# map映射表,获取sni服务器名称,也就是请求SSL证书的域名。映射出一个自定义的$sni_name参数
# 当sni为 你的一级域名 时,映射为"web"的自定义负载均衡名称
# 当sni为 你的二级域名 时以及默认,映射为"naive"的自定义负载均衡名称
# web,配置转发详情
upstream web {
server 127.0.0.1:20000;
}
# 隧道路径,配置转发详情
upstream naive {
server 127.0.0.1:10000;
}
# 监听 443 并开启 ssl_preread
server {
# 复用443端口配置
listen 443 reuseport;
# 根据sni分流到不同的负载均衡处理器
proxy_pass $sni_name;
# 用于获取TLS握手信息,也就是可以获取SNI的信息用于分流
ssl_preread on;
# 开启代理协议,获取客户端的真实信息
proxy_protocol on;
}
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" "$request_time"';
access_log /var/log/nginx/access.log main buffer=32k flush=30s;
server_tokens off;
client_max_body_size 100m;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
add_header Strict-Transport-Security "max-age=63072000; preload";
#add_header X-Frame-Options DENY;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
fastcgi_cache_path /dev/shm/wordpress levels=1:2 keys_zone=wordpress:30m inactive=30m use_temp_path=off;
fastcgi_cache_key $request_method$scheme$host$request_uri;
fastcgi_cache_lock on;
fastcgi_cache_use_stale error timeout invalid_header updating http_500;
fastcgi_cache_valid 200 301 302 30m;
fastcgi_cache_valid 404 10m;
fastcgi_ignore_headers Expires Set-Cookie Vary;
gzip on;
gzip_min_length 2k;
gzip_buffers 4 16k;
gzip_comp_level 4;
gzip_types
text/css
text/plain
text/javascript
application/javascript
application/json
application/x-javascript
application/xml
application/xml+rss
application/xhtml+xml
application/x-font-ttf
application/x-font-opentype
application/vnd.ms-fontobject
image/svg+xml
application/rss+xml
application/atom_xml
image/jpeg
image/gif
image/png
image/icon
image/bmp
image/jpg;
gzip_vary on;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
}
Main的域名的配置
server {
#listen 80;
listen 20200 proxy_protocol ssl ;
server_name 你的域名;
#return 301 https://$host$request_uri;
client_max_body_size 100M;
client_body_buffer_size 100M;
ssl_certificate /你的域名/fullchain.cer;
ssl_certificate_key /你的域名/你的域名.key;
charset utf-8;
set $host_path "/var/www/你的域名";
access_log /var/log/nginx/你的域名.access.log main buffer=32k flush=30s;
error_log /var/log/nginx/你的域名.error.log;
root $host_path;
set $skip_cache 0;
if ($query_string != "") {
set $skip_cache 1;
}
if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|sitemap(_index)?.xml") {
set $skip_cache 1;
}
# 登录用户或发表评论者
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
set $skip_cache 1;
}
location = / {
index index.php index.html;
try_files /index.php?$args /index.php?$args;
}
location / {
index index.php index.html;
try_files $uri $uri/ /index.php?$args;
}
location ~ ^/\.user\.ini {
deny all;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_index index.php;
fastcgi_cache wordpress;
fastcgi_cache_bypass $skip_cache;
fastcgi_no_cache $skip_cache;
fastcgi_pass unix:/run/php/php8.0-fpm.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
location ~ \.(js|css|png|jpg|jpeg|gif|ico|swf|webp|pdf|txt|doc|docx|xls|xlsx|ppt|pptx|mov|fla|zip|rar)$ {
expires max;
access_log off;
try_files $uri =404;
}
}
Caddy 排除错误
编译proxy-protocol模块到Caddy报错
xcaddy build --with github.com/caddyserver/forwardproxy@caddy2=github.com/klzgrad/forwardproxy@naive --with github.com/mastercactapus/caddy2-proxyprotocol
遇到报错,最新, 并无法显示下面的正常的版本号,虽然能够正常运行,但是无法使用
callen@piazza-hongkong:~$ caddy version
v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=
找到参数 github.com/mastercactapus/caddy2-proxyprotocol
在这里, 功能实现只为下面的代码段能够执行
{
servers {
listener_wrappers {
proxy_protocol {
timeout <duration>
allow <cidrs...>
}
tls
}
}
}
https://caddyserver.com/docs/caddyfile/options#listener-wrappers
还包括proxy_protocol侦听器包装器(在 v2.7.0 之前,它只能通过插件使用),它启用了PROXY 协议解析(由 HAProxy 推广)。必须在侦听器包装器之前使用它,tls因为它会在连接开始时解析纯文本数据
Also included is the proxy_protocol listener wrapper (prior to v2.7.0 it was only available via a plugin), which enables PROXY protocol parsing (popularized by HAProxy). This must be used before the tls listener wrapper since it parses plaintext data at the start of the connection:
{
servers {
listener_wrappers {
proxy_protocol {
timeout 2s
allow 192.168.86.1/24 192.168.86.1/24
}
tls
}
}
}
个所以文章针对2.6的版本写得,现在 caddy 已经 2.7版本了
方案二证明; 检查模块是否已经包含在里面
~$ caddy list-modules | grep protocol
~$ caddy list-modules | grep -i proxy_protocol
caddy.listeners.proxy_protocol
http.matchers.protocol
所以后面的多余的不用编译到主程序里面去正确的编译方式就是. 带proxy模块的caddy
# 安装xcaddy
go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
# 通过xcaddy构建带有naive插件的caddy,--with表示打包的插件,后面追加了一个maxmind-geolocation插件,可用来过滤ip
xcaddy build --with github.com/caddyserver/forwardproxy@caddy2=github.com/klzgrad/forwardproxy@naive --with github.com/porech/caddy-maxmind-geolocation@master
# 原来 build 后面有个版本 v 2.6.4, 默认版本最新 2.7.1
# 将caddy移动到用户可执行目录
mv caddy /usr/bin/
# 设置允许监听1024以下端口
setcap cap_net_bind_service=+ep /usr/bin/caddy
# 查看caddy版本
caddy version
配置Go编译环境
apt upgrade -y
apt install curl vim wget gnupg dpkg apt-transport-https lsb-release ca-certificates
wget https://go.dev/dl/go1.22.1.linux-amd64.tar.gz
rm -rf /usr/local/go && tar -C /usr/local -xzf go1.22.1.linux-amd64.tar.gz
echo "export PATH=\$PATH:/usr/local/go/bin" >> /etc/profile
curl -sSL https://dl.cloudsmith.io/public/caddy/xcaddy/gpg.key | gpg --dearmor > /usr/share/keyrings/xcaddy.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/xcaddy.gpg] https://dl.cloudsmith.io/public/caddy/xcaddy/deb/debian any-version main" > /etc/apt/sources.list.d/xcaddy.list
apt update
apt install xcaddy
go version
安装官方版本 Caddy 和 自定义Caddy 版本共存
apt install curl vim wget gnupg dpkg apt-transport-https lsb-release ca-certificates
curl -sSL https://dl.cloudsmith.io/public/caddy/stable/gpg.key | gpg --dearmor > /usr/share/keyrings/caddy.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/caddy.gpg] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main" > /etc/apt/sources.list.d/caddy.list
apt update
apt install caddy
systemctl stop caddy
systemctl status caddy
dpkg-divert --divert /usr/bin/caddy.default --rename /usr/bin/caddy
# 将文件 /usr/bin/caddy 重定向到 /usr/bin/caddy.default,并将其重命名
/usr/bin/caddy.default version
/usr/bin/caddy.custom verson
配置GeoIP全球IP模块
wget https://cdn.jsdelivr.net/npm/geolite2-city@1.0.0/GeoLite2-City.mmdb.gz
gzip -h
gzip -d GeoLite2-City.mmdb.gz
mv GeoLite2-City.mmdb /data/GeoLite2-City.mmdb
cat /data/GeoLite2-City.mmdb
cat /etc/nginx/ssl/out6.pem
cat /etc/nginx/ssl/out6.key
cat /var/log/caddy/access.log
caddy fmt --overwrite
#重新格式化文件
caddy validate Caddyfile
# 验证配置文件是否正确
/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
# 测试是否工作正常
systemctl start caddy
# 系统方式启动
共存, 使用, 系统版本的caddy 注册的服务文件启动 自己编译的caddy
常用的Caddy管理命令
# 校验配置文件是否正确
caddy validate Caddyfile
# 格式化配置文件,--overwrite 格式化后覆盖原文件
caddy fmt --overwrite Caddyfile
# 将Caddyfile配置适配输出为json格式,--pretty 为美化使出
caddy adapt --pretty
# 输出当前caddy包含的模块
caddy list-modules
# 查看当前caddy的版本
caddy version
# 重新加载`daemon`配置文件(修改daemon需要)
systemctl daemon-reload
# 设置caddy自启动
systemctl enable caddy
# 启动caddy
systemctl start caddy
# 重新加载`caddy`配置
systemctl reload caddy
# 重启caddy
systemctl restart caddy
# 停止caddy
systemctl stop caddy
使用acme.sh签发证书
itlanyan.com/use-acme-sh-get-free-cert/
分离 ssl 隧道证书
~/.acme.sh/acme.sh --issue -d 隧道域名 --standalone
~/.acme.sh/acme.sh --install-cert -d 隧道域名 --key-file /etc/nginx/ssl/tunnel6.key --fullchain-file /etc/nginx/ssl/tunnel6.pem
开启1024以下端口访问
setcap cap_net_bind_service=+ep ./caddy
setcap cap_net_bind_service=+ep caddy
setcap cap_net_bind_service=+ep /usr/bin/caddy.custom
检测是否开启管理端口
curl -l localhost:2019
curl -l admin:admin@localhost:2019
检测 hash 隧道指纹
wget https://raw.githubusercontent.com/salesforce/jarm/master/jarm.py
python3 jarm.py 隧道域名
依次排查是否是 root用户启动 caddy ,而不是caddy用户
vim /root/go/pkg/mod/github.com/caddyserver/caddy@v1.0.5/dist/init/linux-systemd/caddy.service
vim /etc/systemd/system/multi-user.target.wants/caddy.service
vim /usr/lib/systemd/system/caddy.service
vim /var/lib/systemd/deb-systemd-helper-enabled/multi-user.target.wants/caddy.service
Caddy 完整配置文件
(LOG) {
log {
# 指定输出类型为file,并指定日志的输出文件路径
output file /var/log/caddy/access.log {
# 日志的滚动文件大小
roll_size 10mb
# 日志文件保存的最大数量
roll_keep 30
# 日志保存的时间
rool_keep_for 30d
}
# 日志格式化配置
format filter {
# 输出日志为json格式
wrap json {
# 时间格式化为 2006/01/02 15:04:05
time_format "wall"
# 修改时间的key,默认为ts
time_key "time"
# 日志的时间使用系统的时间,默认是UTC时间
time_local
}
# 日志字段处理,delete删除,replace为替换
fields {
user_id delete
duration delete
resp_headers delete
status delete
request>uri delete
request>remote_port delete
request>tls delete
request>method delete
request>headers>User-Agent delete
request>headers>Accept-Encoding delete
request>headers>Padding delete
# 可以删掉,我演示的时候为了隐藏我的IP
request>remote_ip replace "0.0.0.0"
}
}
# 日志输出级别
level INFO
}
}
{
http_port 7780
https_port 7743
order forward_proxy before reverse_proxy
servers {
log_credentials
listener_wrappers {
proxy_protocol {
timeout 5s
allow 0.0.0.0/0
}
tls
}
}
}
:7743, 你的域名 {
tls /etc/nginx/ssl/你的域名.pem /etc/nginx/ssl/你的域名.key {
#path_to_crt和path_to_key分别换为crt和key文件的绝对地址
ciphers TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
alpn h2 http/1.1
}
import LOG
@geofilter {
maxmind_geolocation {
db_path "/data/GeoLite2-City.mmdb"
allow_countries CN
deny_countries US UNK
}
}
forward_proxy @geofilter {
basic_auth 用户 用户code
hide_ip
hide_via
probe_resistance
}
forward_proxy @geofilter {
basic_auth 用户2 用户2code
hide_ip
hide_via
probe_resistance
}
reverse_proxy @geofilter https://需要通过的域名 {
header_up Host {upstream_hostport}
}
}
在云主机,确认端口监听正常
ss -tulpn | grep caddy
参考
https://idev.dev/proxy/nginx-stream.html Nginx通过Stream模块实现SNI分流笔记
https://idev.dev/proxy/naiveproxy.html Nginx通过Stream模块实现SNI分流笔记
https://caq98i.top/article/?page=99
https://blog.tantalum.life/posts/deploy-nativeproxy-in-docker/
https://bulianglin.com/archives/naive.html
https://kiku.vip/2021/10/17/trojan%20%E5%92%8C%20Nginx%20%E5%85%B1%E7%94%A8%20443%20%E7%AB%AF%E5%8F%A3/
https://u.sb/xcaddy/
Debian 11 / Ubuntu 22.04 安装 Caddy
https://u.sb/debian-install-caddy/
https://u.sb/archives/
Debian 11 / Ubuntu 22.04 使用 Docker 安装 Mailcow 自建域名邮箱
https://u.sb/docker-mailcow/