我有两个正在运行的树莓派服务器。这些是用 DietPi 设置的。一台服务器用作 NextCloud 服务器。另一个(新)服务器正在运行 weewx。两者都使用lighttpd作为网络服务器。每个域都在不同的域 my.domain.com 和 my.otherdomain.com 下运行。
我的路由器有一个 IP 地址,我使用端口转发来访问两台服务器。 NextCloud 服务器 (my.domain.com) 使用 Dietpi-letsencrypt 启用了 SSL。我无法在 my.otherdomain.com 上运行 certbot,因为我只有一个公共 IP 地址。
我在 Nextcloud 计算机 (my.domain.com) 上启用了 mod-proxy,它将对 my.otherdomain.com 的请求转发到 weewx 计算机。我禁用了路由器上到 weewx 机器的端口转发。然而,dietpi-letsencrypt 无法为 weewx 机器生成 SSL 证书 - 挑战失败。我尝试在两台机器上运行 certbot。这是我的 Nextcloud 机器(用作我的代理服务器)的尝试:
Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: E
Renewing an existing certificate for my.domain.com and my.otherdomain.com
Performing the following challenges:
http-01 challenge for aws.andrewterhorst.com
Using the webroot path /var/www for all unmatched domains.
Waiting for verification...
Challenge failed for domain my.otherdomain.com
http-01 challenge for my.otherdomain.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: my.otherdomain.com
Type: unauthorized
Detail: Invalid response from
http://my.otherdomain.com/.well-known/acme-challenge/p16SmhyufIGQ75fnhWQ4zxf49TCLfnX4SoWRmBqAHBg
[129.151.176.124]: "<?xml version=\"1.0\"
encoding=\"iso-8859-1\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD
XHTML 1.0 Transitional//EN\"\n \"http://www."
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
[FAILED] DietPi-LetsEncrypt | Certbot failed, please check its above terminal output. Aborting...
我想我的反向代理设置是错误的。在互联网上搜索答案一直具有挑战性。这是我在 Nextcloud 机器上的 /etc/lighttpd/lighttpd.conf 文件:
server.modules = (
"mod_indexfile",
"mod_setenv",
"mod_access",
"mod_alias",
"mod_redirect",
"mod_proxy",
)
server.document-root = "/var/www"
server.upload-dirs = ( "/var/cache/lighttpd/uploads" )
server.errorlog = "/var/log/lighttpd/error.log"
server.pid-file = "/run/lighttpd.pid"
server.username = "www-data"
server.groupname = "www-data"
server.port = 80
# features
#https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_feature-flagsDetails
server.feature-flags += ("server.h2proto" => "enable")
server.feature-flags += ("server.h2c" => "enable")
server.feature-flags += ("server.graceful-shutdown-timeout" => 5)
#server.feature-flags += ("server.graceful-restart-bg" => "enable")
# strict parsing and normalization of URL for consistency and security
# https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_http-parseoptsDetails
# (might need to explicitly set "url-path-2f-decode" = "disable"
# if a specific application is encoding URLs inside url-path)
server.http-parseopts = (
"header-strict" => "enable",# default
"host-strict" => "enable",# default
"host-normalize" => "enable",# default
"url-normalize-unreserved"=> "enable",# recommended highly
"url-normalize-required" => "enable",# recommended
"url-ctrls-reject" => "enable",# recommended
"url-path-2f-decode" => "enable",# recommended highly (unless breaks app)
#"url-path-2f-reject" => "enable",
"url-path-dotseg-remove" => "enable",# recommended highly (unless breaks app)
#"url-path-dotseg-reject" => "enable",
#"url-query-20-plus" => "enable",# consistency in query string
)
index-file.names = ( "index.php", "index.html" )
url.access-deny = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
# default listening port for IPv6 falls back to the IPv4 port
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.conf.pl"
include "/etc/lighttpd/conf-enabled/*.conf"
#server.compat-module-load = "disable"
server.modules += (
"mod_dirlisting",
"mod_staticfile",
)
# proxy settings
$HTTP["host"]=~ "my.otherdomain.com" {
proxy.balance = "fair"
proxy.server = ("" =>
(
( "host" => "192.168.0.261", "port" => 80 ),
( "host" => "192.168.0.261", "port" => 443 )
))
}
从技术上讲,代理设置应该位于 10-proxy.conf 中。我需要运行这个命令:
lighty-enable-mod proxy
这会在 /etc/lighttpd/conf-enabled 中创建一个到 /etc/lighttpd/conf-available 中的 10-proxy.conf 的符号链接。我读到我可以简单地在 lighttpd.conf 中添加代理设置 - 没有必要使用 10-proxy.conf。
当前的设置意味着 my.otherdomain.com 的传入流量最终会到达第二台 weewx 计算机。但是,certbot 需要进行通信。我很困惑应该在哪里运行 certbot - 从我的 weewx 机器还是从我的 NextCloud 机器?
我不是 Linux 专家,需要一些关于如何设置 lighttpd 进行正向和反向代理的指导,以便我的 weewx 机器可以安全。大多数涉及此的帖子都涉及 Apache、nginx 或某些特定的 Web 应用程序设置。使用类似正则表达式的符号,lighttpd conf 设置的语法相当混乱。例如:
$HTTP['host'] =~ '^(www.example.com)$' {
url.rewrite-once = ('^/(.*)' => '/vhost/http/%0/$1')
# In lighttpd we alter the path manually using rewrite rule. %0
# refers to the hostname and $1 is the path.
proxy.server = ( '' =>
( (
'host' => '127.0.0.1',
'port' => 8080
) )
)
}
对于像我这样的傻瓜来说,没有简单的英语分步教程。
答案1
我通过回避问题解决了我的问题。这涉及将第三个 Raspberry Pi 配置为运行 nginx 代理管理器的专用代理服务器(https://nginxproxymanager.com/)。我使用了此处描述的设置:https://www.gitmemory.com/issue/MichaIng/DietPi/4417/847424141。
基本上我遵循的步骤是:
- 设置一个运行 Dietpi 的新 Raspberry Pi
- 从 Dietpi 软件菜单安装 docker 和 docker compose
- 创建Nginx目录
- 在此目录中创建一个包含以下内容的 docker-compose.yml 文件夹:
version: "3"
services:
app:
image: 'jc21/nginx-proxy-manager:2'
restart: always
ports:
# Public HTTP Port:
- '80:80'
# Public HTTPS Port:
- '443:443'
# Admin Web Port:
- '81:81'
# Add any other Stream port you want to expose
# - '21:21' # FTP
environment:
# If you would rather use Sqlite uncomment this
# and remove all DB_MYSQL_* lines above
DB_SQLITE_FILE: "/data/database.sqlite"
# Uncomment this if IPv6 is not enabled on your host
# DISABLE_IPV6: 'true'
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencrypt
- 创建一个sqlite数据库:
touch ./data/database.sqlite.
- 使用以下命令设置 nginx 代理管理器:
docker-compose up -d
重新启动 Raspberry Pi 和 viola - 它开箱即用!
然后我登录到管理界面http://proxyserver_ip:81。这是一个简洁/现代的界面。然后,我将端口转发添加到运行 nextcloud 和 weewx 的两台服务器。 nginx 代理管理器通过 Letsencrypt 获取 SSL 证书。无需在每台服务器上安装这些。代理转发使用端口 80,但在管理界面的 SSL 选项卡下,可以强制使用 https。
启用 https 后,我在 nextcloud 服务器上遇到了一个小问题(502 Bad Gateway)。我需要将以下行添加到 nextcloud config.php 文件中:
'overwriteprotocol' => 'https',
- 一切都一如既往的甜蜜!