OPENWRT 使用nginx作为web服务器
在op上大家使用nginx作为web服务器,主要是为了其强大的反向代理功能,但op上的nginx官方做了一定的修改,配置上稍显复杂,几篇文章也是比较老的,配置也是一头雾水,作业都不好抄,索性自己查了资料学了些nginx的内容,实现了如下的功能:
#mermaid-svg-1yeXohCliMcqMGxv {font-family:”trebuchet ms”,verdana,arial,sans-serif;font-size:16px;fill:#333;}#mermaid-svg-1yeXohCliMcqMGxv .error-icon{fill:#552222;}#mermaid-svg-1yeXohCliMcqMGxv .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-1yeXohCliMcqMGxv .edge-thickness-normal{stroke-width:2px;}#mermaid-svg-1yeXohCliMcqMGxv .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-1yeXohCliMcqMGxv .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-1yeXohCliMcqMGxv .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-1yeXohCliMcqMGxv .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-1yeXohCliMcqMGxv .marker{fill:#333333;stroke:#333333;}#mermaid-svg-1yeXohCliMcqMGxv .marker.cross{stroke:#333333;}#mermaid-svg-1yeXohCliMcqMGxv svg{font-family:”trebuchet ms”,verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-1yeXohCliMcqMGxv .actor{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-1yeXohCliMcqMGxv text.actor>tspan{fill:black;stroke:none;}#mermaid-svg-1yeXohCliMcqMGxv .actor-line{stroke:grey;}#mermaid-svg-1yeXohCliMcqMGxv .messageLine0{stroke-width:1.5;stroke-dasharray:none;stroke:#333;}#mermaid-svg-1yeXohCliMcqMGxv .messageLine1{stroke-width:1.5;stroke-dasharray:2,2;stroke:#333;}#mermaid-svg-1yeXohCliMcqMGxv #arrowhead path{fill:#333;stroke:#333;}#mermaid-svg-1yeXohCliMcqMGxv .sequenceNumber{fill:white;}#mermaid-svg-1yeXohCliMcqMGxv #sequencenumber{fill:#333;}#mermaid-svg-1yeXohCliMcqMGxv #crosshead path{fill:#333;stroke:#333;}#mermaid-svg-1yeXohCliMcqMGxv .messageText{fill:#333;stroke:#333;}#mermaid-svg-1yeXohCliMcqMGxv .labelBox{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-1yeXohCliMcqMGxv .labelText,#mermaid-svg-1yeXohCliMcqMGxv .labelText>tspan{fill:black;stroke:none;}#mermaid-svg-1yeXohCliMcqMGxv .loopText,#mermaid-svg-1yeXohCliMcqMGxv .loopText>tspan{fill:black;stroke:none;}#mermaid-svg-1yeXohCliMcqMGxv .loopLine{stroke-width:2px;stroke-dasharray:2,2;stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);}#mermaid-svg-1yeXohCliMcqMGxv .note{stroke:#aaaa33;fill:#fff5ad;}#mermaid-svg-1yeXohCliMcqMGxv .noteText,#mermaid-svg-1yeXohCliMcqMGxv .noteText>tspan{fill:black;stroke:none;}#mermaid-svg-1yeXohCliMcqMGxv .activation0{fill:#f4f4f4;stroke:#666;}#mermaid-svg-1yeXohCliMcqMGxv .activation1{fill:#f4f4f4;stroke:#666;}#mermaid-svg-1yeXohCliMcqMGxv .activation2{fill:#f4f4f4;stroke:#666;}#mermaid-svg-1yeXohCliMcqMGxv .actorPopupMenu{position:absolute;}#mermaid-svg-1yeXohCliMcqMGxv .actorPopupMenuPanel{position:absolute;fill:#ECECFF;box-shadow:0px 8px 16px 0px rgba(0,0,0,0.2);filter:drop-shadow(3px 5px 2px rgb(0 0 0 / 0.4));}#mermaid-svg-1yeXohCliMcqMGxv .actor-man line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-1yeXohCliMcqMGxv .actor-man circle,#mermaid-svg-1yeXohCliMcqMGxv line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;stroke-width:2px;}#mermaid-svg-1yeXohCliMcqMGxv :root{–mermaid-font-family:”trebuchet ms”,verdana,arial,sans-serif;}
外网
OP
内网
通过https+域名访问开放的端口
拒绝未开放的端口和http请求
内网ip地址直接访问OP
放行内网的访问请求
外网
OP
内网
####默认你已经完成 域名申请,配置DDNS 和 申请ssl证书的操作。
修改UCI控件
OP把uci配置加于nginx的配置之上,所以第一步先关闭uci的配置管理。
其实第三篇参考文章(官方文档)已经讲的很清楚了,如果你需要简单的管理nginx,用uci就够了,需要自己配置nginx的就关闭uci管理。
那当然是关闭啦:
第一种优雅的方式,登录后台命令行输入:
uci set nginx.global.uci_enable=false
uci commit nginx
这两步关闭了uci的配置接管
第二种直接的方式,修改/etc/config/nginx:
config main 'global'
#把这里的true修改为false就行了
option uci_enable 'false'
config server '_lan'
option server_name '_lan'
list include 'restrict_locally'
list include 'conf.d/*.locations'
option uci_manage_ssl 'self-signed'
option ssl_certificate '/etc/nginx/conf.d/_lan.crt'
option ssl_certificate_key '/etc/nginx/conf.d/_lan.key'
option ssl_session_cache 'shared:SSL:32k'
option ssl_session_timeout '64m'
option access_log 'off; # logd openwrt'
config server '_redirect2ssl'
list listen '80'
list listen '[::]:80'
option server_name '_redirect2ssl'
option return '302 https://$host$request_uri'
修改之后,重启后nginx也不再受到uci的管理了,其实到这里剩下的配置就和常规nginx一样了。
解除内网访问http重定向到https的问题
修改/etc/nginx/nginx.conf这个配置文件:
那我这里就贴出具体修改的代码块
server { #see uci show 'nginx._lan'
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name _lan;
include restrict_locally;
include conf.d/*.locations;
ssl_certificate /etc/nginx/conf.d/_lan.crt;
ssl_certificate_key /etc/nginx/conf.d/_lan.key;
ssl_session_cache shared:SSL:32k;
ssl_session_timeout 64m;
access_log off; # logd openwrt;
}
server { #see uci show 'nginx._redirect2ssl'
listen 80;
listen [::]:80;
server_name _redirect2ssl;
return 302 https://$host$request_uri;
}
修改为:
server { #see uci show 'nginx._lan'
listen 80;
listen [::]:80;
server_name _lan;
include restrict_locally;
include conf.d/*.locations;
access_log off; # logd openwrt;
}
这里解释一下,好多文章是留下了 _redirect2ssl这个虚拟服务器配置,这里保留哪个虚拟服务器并不影响使用,只是/etc/nginx/目录下有个lan的配置,凭感觉来的。
这个就是本地web端,即OP的管理页面:
include conf.d/*.locations;
这个是局域网保留网段的过滤,使得只能内网ip才能访问op的管理页面:
include restrict_locally;
加上国内三大运营商默认ban了80端口443端口等一系列常见端口,其实某种意义上讲非常安全。
修改好配置后,命令行输入:
nginx -t
检查一下配置是否存在低级的语法错误。
在输入重载重启nginx命令:
service nginx reload
service nginx restart
至此内网通过ip访问就不会再强制https访问了
添加SSL证书
网上教你怎么申请ssl证书的非常多,现在好多是通过acme.sh脚本自动申请,另外就是通过域名提供商申请免费的ssl证书,
这里就不再赘述了,自行搜索。
nginx添加ssl证书就是声明一下ssl_certificate和ssl_certificate_key两个值就行了,这里提供一种全局添加的方式。
修改/etc/nginx/nginx.conf这个配置文件:
gzip_proxied any;
root /www;
#####将以下内容添加到配置文件中#####
# Mozilla Intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
#以下协议需要确认硬件是否支持,如果不支持或者不确定可以直接去除
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
#以下修改为自己申请的域名公钥和私钥文件地址
ssl_certificate /etc/nginx/conf.d/example.com.crt;
ssl_certificate_key /etc/nginx/conf.d/example.com.key;
#以上修改为自己申请的域名公钥和私钥文件地址
ssl_session_cache shared:SSL:32k;
ssl_session_timeout 64m;
#####将以上内容添加到配置文件中#####
server { #see uci show 'nginx._lan'
添加好后重载并重启nginx服务。
修改好后就有个全局的ssl证书声明,如果你有多个域名需要反向代理,那就需要为每个不同域名对应的服务器配置对应的ssl证书了。
添加反向代理
一般来说,需要外网的服务,直接做一个端口转发到内网指定ip的指定端口就行了:
#mermaid-svg-m49rqDyE3FA3KFHE {font-family:”trebuchet ms”,verdana,arial,sans-serif;font-size:16px;fill:#333;}#mermaid-svg-m49rqDyE3FA3KFHE .error-icon{fill:#552222;}#mermaid-svg-m49rqDyE3FA3KFHE .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-m49rqDyE3FA3KFHE .edge-thickness-normal{stroke-width:2px;}#mermaid-svg-m49rqDyE3FA3KFHE .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-m49rqDyE3FA3KFHE .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-m49rqDyE3FA3KFHE .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-m49rqDyE3FA3KFHE .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-m49rqDyE3FA3KFHE .marker{fill:#333333;stroke:#333333;}#mermaid-svg-m49rqDyE3FA3KFHE .marker.cross{stroke:#333333;}#mermaid-svg-m49rqDyE3FA3KFHE svg{font-family:”trebuchet ms”,verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-m49rqDyE3FA3KFHE .actor{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-m49rqDyE3FA3KFHE text.actor>tspan{fill:black;stroke:none;}#mermaid-svg-m49rqDyE3FA3KFHE .actor-line{stroke:grey;}#mermaid-svg-m49rqDyE3FA3KFHE .messageLine0{stroke-width:1.5;stroke-dasharray:none;stroke:#333;}#mermaid-svg-m49rqDyE3FA3KFHE .messageLine1{stroke-width:1.5;stroke-dasharray:2,2;stroke:#333;}#mermaid-svg-m49rqDyE3FA3KFHE #arrowhead path{fill:#333;stroke:#333;}#mermaid-svg-m49rqDyE3FA3KFHE .sequenceNumber{fill:white;}#mermaid-svg-m49rqDyE3FA3KFHE #sequencenumber{fill:#333;}#mermaid-svg-m49rqDyE3FA3KFHE #crosshead path{fill:#333;stroke:#333;}#mermaid-svg-m49rqDyE3FA3KFHE .messageText{fill:#333;stroke:#333;}#mermaid-svg-m49rqDyE3FA3KFHE .labelBox{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-m49rqDyE3FA3KFHE .labelText,#mermaid-svg-m49rqDyE3FA3KFHE .labelText>tspan{fill:black;stroke:none;}#mermaid-svg-m49rqDyE3FA3KFHE .loopText,#mermaid-svg-m49rqDyE3FA3KFHE .loopText>tspan{fill:black;stroke:none;}#mermaid-svg-m49rqDyE3FA3KFHE .loopLine{stroke-width:2px;stroke-dasharray:2,2;stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);}#mermaid-svg-m49rqDyE3FA3KFHE .note{stroke:#aaaa33;fill:#fff5ad;}#mermaid-svg-m49rqDyE3FA3KFHE .noteText,#mermaid-svg-m49rqDyE3FA3KFHE .noteText>tspan{fill:black;stroke:none;}#mermaid-svg-m49rqDyE3FA3KFHE .activation0{fill:#f4f4f4;stroke:#666;}#mermaid-svg-m49rqDyE3FA3KFHE .activation1{fill:#f4f4f4;stroke:#666;}#mermaid-svg-m49rqDyE3FA3KFHE .activation2{fill:#f4f4f4;stroke:#666;}#mermaid-svg-m49rqDyE3FA3KFHE .actorPopupMenu{position:absolute;}#mermaid-svg-m49rqDyE3FA3KFHE .actorPopupMenuPanel{position:absolute;fill:#ECECFF;box-shadow:0px 8px 16px 0px rgba(0,0,0,0.2);filter:drop-shadow(3px 5px 2px rgb(0 0 0 / 0.4));}#mermaid-svg-m49rqDyE3FA3KFHE .actor-man line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-m49rqDyE3FA3KFHE .actor-man circle,#mermaid-svg-m49rqDyE3FA3KFHE line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;stroke-width:2px;}#mermaid-svg-m49rqDyE3FA3KFHE :root{–mermaid-font-family:”trebuchet ms”,verdana,arial,sans-serif;}
外网
OP
内网服务
通过域名加端口访问
转发外网的访问请求
外网
OP
内网服务
但是使用nginx反向代理的话,外网数据首先要转发到op端的指定端口再由op上的nginx转发给局域网ip
#mermaid-svg-0Ma41Chwrr1WTNMW {font-family:”trebuchet ms”,verdana,arial,sans-serif;font-size:16px;fill:#333;}#mermaid-svg-0Ma41Chwrr1WTNMW .error-icon{fill:#552222;}#mermaid-svg-0Ma41Chwrr1WTNMW .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-0Ma41Chwrr1WTNMW .edge-thickness-normal{stroke-width:2px;}#mermaid-svg-0Ma41Chwrr1WTNMW .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-0Ma41Chwrr1WTNMW .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-0Ma41Chwrr1WTNMW .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-0Ma41Chwrr1WTNMW .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-0Ma41Chwrr1WTNMW .marker{fill:#333333;stroke:#333333;}#mermaid-svg-0Ma41Chwrr1WTNMW .marker.cross{stroke:#333333;}#mermaid-svg-0Ma41Chwrr1WTNMW svg{font-family:”trebuchet ms”,verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-0Ma41Chwrr1WTNMW .actor{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-0Ma41Chwrr1WTNMW text.actor>tspan{fill:black;stroke:none;}#mermaid-svg-0Ma41Chwrr1WTNMW .actor-line{stroke:grey;}#mermaid-svg-0Ma41Chwrr1WTNMW .messageLine0{stroke-width:1.5;stroke-dasharray:none;stroke:#333;}#mermaid-svg-0Ma41Chwrr1WTNMW .messageLine1{stroke-width:1.5;stroke-dasharray:2,2;stroke:#333;}#mermaid-svg-0Ma41Chwrr1WTNMW #arrowhead path{fill:#333;stroke:#333;}#mermaid-svg-0Ma41Chwrr1WTNMW .sequenceNumber{fill:white;}#mermaid-svg-0Ma41Chwrr1WTNMW #sequencenumber{fill:#333;}#mermaid-svg-0Ma41Chwrr1WTNMW #crosshead path{fill:#333;stroke:#333;}#mermaid-svg-0Ma41Chwrr1WTNMW .messageText{fill:#333;stroke:#333;}#mermaid-svg-0Ma41Chwrr1WTNMW .labelBox{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-0Ma41Chwrr1WTNMW .labelText,#mermaid-svg-0Ma41Chwrr1WTNMW .labelText>tspan{fill:black;stroke:none;}#mermaid-svg-0Ma41Chwrr1WTNMW .loopText,#mermaid-svg-0Ma41Chwrr1WTNMW .loopText>tspan{fill:black;stroke:none;}#mermaid-svg-0Ma41Chwrr1WTNMW .loopLine{stroke-width:2px;stroke-dasharray:2,2;stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);}#mermaid-svg-0Ma41Chwrr1WTNMW .note{stroke:#aaaa33;fill:#fff5ad;}#mermaid-svg-0Ma41Chwrr1WTNMW .noteText,#mermaid-svg-0Ma41Chwrr1WTNMW .noteText>tspan{fill:black;stroke:none;}#mermaid-svg-0Ma41Chwrr1WTNMW .activation0{fill:#f4f4f4;stroke:#666;}#mermaid-svg-0Ma41Chwrr1WTNMW .activation1{fill:#f4f4f4;stroke:#666;}#mermaid-svg-0Ma41Chwrr1WTNMW .activation2{fill:#f4f4f4;stroke:#666;}#mermaid-svg-0Ma41Chwrr1WTNMW .actorPopupMenu{position:absolute;}#mermaid-svg-0Ma41Chwrr1WTNMW .actorPopupMenuPanel{position:absolute;fill:#ECECFF;box-shadow:0px 8px 16px 0px rgba(0,0,0,0.2);filter:drop-shadow(3px 5px 2px rgb(0 0 0 / 0.4));}#mermaid-svg-0Ma41Chwrr1WTNMW .actor-man line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-0Ma41Chwrr1WTNMW .actor-man circle,#mermaid-svg-0Ma41Chwrr1WTNMW line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;stroke-width:2px;}#mermaid-svg-0Ma41Chwrr1WTNMW :root{–mermaid-font-family:”trebuchet ms”,verdana,arial,sans-serif;}
外网
OP.NGINX
内网服务
通过域名加端口访问op的nginx服务器
nginx判断是否转发外网的访问请求
外网
OP.NGINX
内网服务
所以记得在op->防火墙->端口转发中将对应端口转发到op的本地端口:
我这里按照nginx的习惯做法,在/etc/nginx/conf.d目录下创建了一个example.com.conf的配置文件:
server {
#一般加ssl后缀就可以了,我这里添加了对http2协议的要求。
listen 9080 ssl http2;
listen [::]:9080 ssl http2;
#修改为自己申请的域名
server_name example.com;
location / {
#修改为自己需要代理的局域网ip和端口号
proxy_pass http://localserver:9080;
proxy_set_header Host $host;
#以下配置文件是参考配置网站生成的配置不添加也没问题
include nginxconfig.io/proxy.conf;
}
access_log on; # logd openwrt;
# location / { ... } # root location for this server.
}
添加好后测试配置是否存在语法问题,重载并重启nginx服务,如果发现通过域名访问失败时,先不要慌。
1.在内网通过nginx所在服务器加配置的端口号访问一下,确认内网服务是否正常
2.确认域名动态解析是否生效正确
3.以上都不是,那可能你开放的端口被运营商ban了,换个端口吧
这里贴出/etc/nginx/nginxconfig.io/proxy.conf的配置内容
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
# Proxy SSL
proxy_ssl_server_name on;
# Proxy headers
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
# Proxy timeouts
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
这些改动都是参考NGINX配置生成网站的demo修改的,自行斟酌添加:NGINX 配置配置高性能、安全、稳定的NGINX服务器的最简单方法.
添加外网访问http自动转为https
到这里其实已经可以正常访问了,但是如果你用http去访问一个强制https访问的端口就会出现nginx的400报错,意思你该用https访问。
这里你自然可以参考内网http强制转https的写法,但我记得我测试有点问题,我这里贴出一个最近找到的对于域名访问全部重定向为https的方法,当然你也可以修改端口为指定端口:
server {
listen example.com;
server_name example.com;
rewrite ^/(.*)$ https://$host$1 permanent;
}
主要参考文章
K3终极折腾记<三> –通过ipv6域名远程访问openwrt、https证书安装配置.
OpenWrt 上设置 nginx HTTP 不重定向到 HTTPS 以正常使用 OpenClash yacd 面板.
Nginx webserver.