知乎专栏 |
https://caddyserver.com/docs/caddyfile
localhost example.com :443 http://example.com localhost:8080 127.0.0.1 [::1]:2015 example.com/foo/* *.example.com http://
localhost:8080, example.com, www.example.com
泛解析
*.example.com
http://api.netkiller.cn { reverse_proxy /* http://192.168.30.10:8080 tls netkiller@msn.com }
推送 X-Forwarded-For 头
http://www.netkiller.cn { root * /opt/netkiller.cn/www.netkiller.cn file_server reverse_proxy /api/* 192.168.30.10:8080 { header_up X-Real-IP {http.request.remote.host} header_up X-Forwarded-For {http.request.remote.host} } }
反向代理自签名证书,添加 tls_insecure_skip_verify 配置项
netkiller.cn { reverse_proxy * { to https://192.168.0.10 transport http { tls_insecure_skip_verify } } } api.netkiller.cn { reverse_proxy * { to 192.168.10.10:443 transport http { tls tls_insecure_skip_verify } } }
反向代理URL前缀问题
举例: www.netkiller.cn { reverse_proxy /api/* http://api.netkiller.cn:8080 } 访问URL: http://www.netkiller.cn/api/adduser 实际访问的URL是: http://api.netkiller.cn:8080/api/adduser 我们需要的URL是: http://api.netkiller.cn:8080/adduser
解决方案
www.netkiller.cn { route /api* { uri strip_prefix /api reverse_proxy api.netkiller.cn:8088 } }
准备域名
neo@MacBook-Pro-Neo-3 ~> dig chat.netkiller.cn ; <<>> DiG 9.10.6 <<>> chat.netkiller.cn ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24569 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;chat.netkiller.cn. IN A ;; ANSWER SECTION: chat.netkiller.cn. 600 IN A 8.219.73.35 ;; Query time: 109 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Mon Jul 04 19:31:02 CST 2022 ;; MSG SIZE rcvd: 62
这里准备了一个域名 chat.netkiller.cn 并且已经做好了解析
安装 certbot 工具
[root@netkiller ~]# dnf install -y certbot
生成 SSL 证书
[root@netkiller ~]# certbot certonly --manual Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): netkiller@msn.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y Account registered. Please enter the domain name(s) you would like on your certificate (comma and/or space separated) (Enter 'c' to cancel): chat.netkiller.cn Requesting a certificate for chat.netkiller.cn - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Create a file containing just this data: h27fzgPCxW9Kmhcd9af3YPwuYFCizmZZ_JLvoCeNSQ4.sD2SO-myCgf0JjzYqkA9LA3nN9Pau98bk_fmlBWmzII And make it available on your web server at this URL: http://chat.netkiller.cn/.well-known/acme-challenge/h27fzgPCxW9Kmhcd9af3YPwuYFCizmZZ_JLvoCeNSQ4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
此时不要按回车继续,放在一边,开一个新终端窗口,配置 Caddy 服务器
[root@netkiller ~]# vim /etc/caddy/Caddyfile chat.netkiller.cn:80 { respond /.well-known/acme-challenge/h27fzgPCxW9Kmhcd9af3YPwuYFCizmZZ_JLvoCeNSQ4 "h27fzgPCxW9Kmhcd9af3YPwuYFCizmZZ_JLvoCeNSQ4.sD2SO-myCgf0JjzYqkA9LA3nN9Pau98bk_fmlBWmzII" 200 } [root@netkiller ~]# systemctl reload caddy [root@netkiller ~]# curl http://chat.netkiller.cn/.well-known/acme-challenge/h27fzgPCxW9Kmhcd9af3YPwuYFCizmZZ_JLvoCeNSQ4 h27fzgPCxW9Kmhcd9af3YPwuYFCizmZZ_JLvoCeNSQ4.sD2SO-myCgf0JjzYqkA9LA3nN9Pau98bk_fmlBWmzII
回到 certonly 按回车继续
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/chat.netkiller.cn/fullchain.pem Key is saved at: /etc/letsencrypt/live/chat.netkiller.cn/privkey.pem This certificate expires on 2022-10-02. These files will be updated when the certificate renews. NEXT STEPS: - This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
证书创建完毕,接着配置 Caddy Web 服务器
[root@netkiller ~]# vim /etc/caddy/Caddyfile chat.netkiller.cn:80 { respond /.well-known/acme-challenge/h27fzgPCxW9Kmhcd9af3YPwuYFCizmZZ_JLvoCeNSQ4 "h27fzgPCxW9Kmhcd9af3YPwuYFCizmZZ_JLvoCeNSQ4.sD2SO-myCgf0JjzYqkA9LA3nN9Pau98bk_fmlBWmzII" 200 } chat.netkiller.cn { respond "Hello world!!!" } [root@netkiller ~]# systemctl reload caddy [root@netkiller ~]# curl https://chat.netkiller.cn Hello world!!!
使用 MySSL 工具检查证书 https://myssl.com/chat.netkiller.cn?domain=chat.netkiller.cn
chat.netkiller.cn { respond "Hello, world!" }
[root@netkiller ~]# curl https://chat.netkiller.cn Hello, world!
[root@netkiller ~]# cat /etc/caddy/Caddyfile chat.netkiller.cn { respond /.well-known/acme-challenge/V7-P_SdeHeXDk3qyj0HhvYrrQ2PFbZrKv4ck6FNQSys "V7-P_SdeHeXDk3qyj0HhvYrrQ2PFbZrKv4ck6FNQSys.sD2SO-myCgf0JjzYqkA9LA3nN9Pau98bk_fmlBWmzII" 200 } [root@netkiller ~]# curl https://chat.netkiller.cn/.well-known/acme-challenge/V7-P_SdeHeXDk3qyj0HhvYrrQ2PFbZrKv4ck6FNQSys V7-P_SdeHeXDk3qyj0HhvYrrQ2PFbZrKv4ck6FNQSys.sD2SO-myCgf0JjzYqkA9LA3nN9Pau98bk_fmlBWmzII