Lighttpd 反向代理

Lighttpd 反向代理

我有两个正在运行的树莓派服务器。这些是用 DietPi 设置的。一台服务器用作 NextCloud 服务器。另一个(新)服务器正在运行 weewx。两者都使用lighttpd作为网络服务器。每个域都在不同的域 my.domain.com 和 my.otherdomain.com 下运行。

我的路由器有一个 IP 地址,我使用端口转发来访问两台服务器。 NextCloud 服务器 (my.domain.com) 使用 Dietpi-letsencrypt 启用了 SSL。我无法在 my.otherdomain.com 上运行 certbot,因为我只有一个公共 IP 地址。

我在 Nextcloud 计算机 (my.domain.com) 上启用了 mod-proxy,它将对 my.otherdomain.com 的请求转发到 weewx 计算机。我禁用了路由器上到 weewx 机器的端口转发。然而,dietpi-letsencrypt 无法为 weewx 机器生成 SSL 证书 - 挑战失败。我尝试在两台机器上运行 certbot。这是我的 Nextcloud 机器(用作我的代理服务器)的尝试:

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: E 
Renewing an existing certificate for my.domain.com and my.otherdomain.com
Performing the following challenges:
http-01 challenge for aws.andrewterhorst.com
Using the webroot path /var/www for all unmatched domains.
Waiting for verification...
Challenge failed for domain my.otherdomain.com
http-01 challenge for my.otherdomain.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: my.otherdomain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://my.otherdomain.com/.well-known/acme-challenge/p16SmhyufIGQ75fnhWQ4zxf49TCLfnX4SoWRmBqAHBg
   [129.151.176.124]: "<?xml version=\"1.0\"
   encoding=\"iso-8859-1\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD
   XHTML 1.0 Transitional//EN\"\n         \"http://www."

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
[FAILED] DietPi-LetsEncrypt | Certbot failed, please check its above terminal output. Aborting...

我想我的反向代理设置是错误的。在互联网上搜索答案一直具有挑战性。这是我在 Nextcloud 机器上的 /etc/lighttpd/lighttpd.conf 文件:

server.modules = (
    "mod_indexfile",
    "mod_setenv",
    "mod_access",
    "mod_alias",
    "mod_redirect",
    "mod_proxy",
)

server.document-root = "/var/www"
server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
server.errorlog             = "/var/log/lighttpd/error.log"
server.pid-file             = "/run/lighttpd.pid"
server.username             = "www-data"
server.groupname            = "www-data"
server.port                 = 80

# features
#https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_feature-flagsDetails
server.feature-flags       += ("server.h2proto" => "enable")
server.feature-flags       += ("server.h2c"     => "enable")
server.feature-flags       += ("server.graceful-shutdown-timeout" => 5)
#server.feature-flags       += ("server.graceful-restart-bg" => "enable")

# strict parsing and normalization of URL for consistency and security
# https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_http-parseoptsDetails
# (might need to explicitly set "url-path-2f-decode" = "disable"
#  if a specific application is encoding URLs inside url-path)
server.http-parseopts = (
  "header-strict"           => "enable",# default
  "host-strict"             => "enable",# default
  "host-normalize"          => "enable",# default
  "url-normalize-unreserved"=> "enable",# recommended highly
  "url-normalize-required"  => "enable",# recommended
  "url-ctrls-reject"        => "enable",# recommended
  "url-path-2f-decode"      => "enable",# recommended highly (unless breaks app)
 #"url-path-2f-reject"      => "enable",
  "url-path-dotseg-remove"  => "enable",# recommended highly (unless breaks app)
 #"url-path-dotseg-reject"  => "enable",
 #"url-query-20-plus"       => "enable",# consistency in query string
)

index-file.names            = ( "index.php", "index.html" )
url.access-deny             = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

# default listening port for IPv6 falls back to the IPv4 port
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.conf.pl"
include "/etc/lighttpd/conf-enabled/*.conf"

#server.compat-module-load   = "disable"
server.modules += (
    "mod_dirlisting",
    "mod_staticfile",
)


# proxy settings
$HTTP["host"]=~ "my.otherdomain.com"  {
        proxy.balance = "fair"
        proxy.server =  ("" =>
                                (
                                        ( "host" => "192.168.0.261", "port" => 80 ),
                                        ( "host" => "192.168.0.261", "port" => 443 )
                                ))
                        }

从技术上讲,代理设置应该位于 10-proxy.conf 中。我需要运行这个命令:

lighty-enable-mod proxy

这会在 /etc/lighttpd/conf-enabled 中创建一个到 /etc/lighttpd/conf-available 中的 10-proxy.conf 的符号链接。我读到我可以简单地在 lighttpd.conf 中添加代理设置 - 没有必要使用 10-proxy.conf。

当前的设置意味着 my.otherdomain.com 的传入流量最终会到达第二台 weewx 计算机。但是,certbot 需要进行通信。我很困惑应该在哪里运行 certbot - 从我的 weewx 机器还是从我的 NextCloud 机器?

我不是 Linux 专家,需要一些关于如何设置 lighttpd 进行正向和反向代理的指导,以便我的 weewx 机器可以安全。大多数涉及此的帖子都涉及 Apache、nginx 或某些特定的 Web 应用程序设置。使用类似正则表达式的符号,lighttpd conf 设置的语法相当混乱。例如:

$HTTP['host'] =~ '^(www.example.com)$' {
        url.rewrite-once = ('^/(.*)' => '/vhost/http/%0/$1')
        # In lighttpd we alter the path manually using rewrite rule. %0
        # refers to the hostname and $1 is the path.
        proxy.server = ( '' =>
                ( (
                'host' => '127.0.0.1',
                'port' => 8080
                ) )
        )
}

对于像我这样的傻瓜来说,没有简单的英语分步教程。

答案1

我通过回避问题解决了我的问题。这涉及将第三个 Raspberry Pi 配置为运行 nginx 代理管理器的专用代理服务器(https://nginxproxymanager.com/)。我使用了此处描述的设置:https://www.gitmemory.com/issue/MichaIng/DietPi/4417/847424141

基本上我遵循的步骤是:

  1. 设置一个运行 Dietpi 的新 Raspberry Pi
  2. 从 Dietpi 软件菜单安装 docker 和 docker compose
  3. 创建Nginx目录
  4. 在此目录中创建一个包含以下内容的 docker-compose.yml 文件夹:
version: "3"
services:
  app:
    image: 'jc21/nginx-proxy-manager:2'
    restart: always
    ports:
      # Public HTTP Port:
      - '80:80'
      # Public HTTPS Port:
      - '443:443'
      # Admin Web Port:
      - '81:81'
      # Add any other Stream port you want to expose
      # - '21:21' # FTP
    environment:
      # If you would rather use Sqlite uncomment this
      # and remove all DB_MYSQL_* lines above
      DB_SQLITE_FILE: "/data/database.sqlite"
      # Uncomment this if IPv6 is not enabled on your host
      # DISABLE_IPV6: 'true'
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt
  1. 创建一个sqlite数据库:
touch ./data/database.sqlite.
  1. 使用以下命令设置 nginx 代理管理器:
docker-compose up -d
  1. 重新启动 Raspberry Pi 和 viola - 它开箱即用!

  2. 然后我登录到管理界面http://proxyserver_ip:81。这是一个简洁/现代的界面。然后,我将端口转发添加到运行 nextcloud 和 weewx 的两台服务器。 nginx 代理管理器通过 Letsencrypt 获取 SSL 证书。无需在每台服务器上安装这些。代理转发使用端口 80,但在管理界面的 SSL 选项卡下,可以强制使用 https。

  3. 启用 https 后,我在 nextcloud 服务器上遇到了一个小问题(502 Bad Gateway)。我需要将以下行添加到 nextcloud config.php 文件中:

'overwriteprotocol' => 'https',
  1. 一切都一如既往的甜蜜!

相关内容