1.准备好域名及搭好https服务的nginx,这里以域名123.com为例,https://123.com需要能正常访问
2.需要设置白名单的服务搭好 这里以端口10086为例
下面教程为debian/ubuntu系统
预先准备的组件,若已安装可跳过
apt install rsyslog iptables nano -y
下载处理白名单程序
wget -O /usr/local/bin/selfhelp-iptables https://github.com/aoyouer/selfhelp-iptables/releases/download/2.3.4/selfhelp-iptables
赋予运行权限
chmod +x /usr/local/bin/selfhelp-iptables
添加nginx路径反代上面程序的端口
编辑nginx配置 路径仅供参考
nano /etc/nginx/conf.d/123.com
在location / 或者location其他路径下添加,这里/2表示后续通过访问https://123.com/2来添加白名单,按需修改路径
location /2 {
proxy_set_header X-real-ip $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:10086/api/add?key=adminkey123456;
}完整示例
server {
listen 443 ssl http2;
listen [::]:443 http2;
ssl_certificate /ssl/123.crt;
ssl_certificate_key /ssl/123.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ecdh_curve X25519:P-256:P-384:P-521;
server_name 123.com;
index index.html index.htm;
root /www/web;
error_page 400 = /400.html;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=63072000" always;
location /12345666/
{
proxy_redirect off;
proxy_pass http://127.0.0.1:12190;
proxy_http_version 1.1;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
}
location /2 {
proxy_set_header X-real-ip $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:10088/api/add?key=adminkey123456;
}
}
server {
listen 80;
listen [::]:80;
server_name 123.com;
return 301 https://$http_host$request_uri;
}测试nginx配置是否正确 运行
nginx -t
重启nginx
systemctl restart nginx
运行白名单处理程序,-a参数对应上面key=;-p表示要处理的白名单端口,默认不允许访问,添加白名单才放行;-l表示监听的端口,对应nginx里面的10088;-t表示失败多少次自动添加白名单
/usr/local/bin/selfhelp-iptables start -u userkey1234566 -a adminkey123456 -p 10086 -l 10088 -t 999999 --reverse
添加服务运行
nano /etc/systemd/system/wip.service
[Unit] Description=selfhelp-iptables After=network.target [Service] Type=simple ExecStart=/usr/local/bin/selfhelp-iptables start -u userkey1234566 -a adminkey123456 -p 10086 -l 10088 -t 999999 --reverse Restart=on-failure [Install] WantedBy=multi-user.target
添加启动项及运行
systemctl enable wip && systemctl restart wip
高级用法,添加完整api用于查看数据,通过https://123.com/10000/record?key=adminkey123456
更多用法参考https://github.com/aoyouer/selfhelp-iptables/
server {
listen 443 ssl http2;
listen [::]:443 http2;
ssl_certificate /ssl/123.crt;
ssl_certificate_key /ssl/123.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ecdh_curve X25519:P-256:P-384:P-521;
server_name 123.com;
index index.html index.htm;
root /www/web;
error_page 400 = /400.html;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=63072000" always;
location /12345666/ {
proxy_redirect off;
proxy_pass http://127.0.0.1:12190;
proxy_http_version 1.1;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
}
location /2 {
proxy_set_header X-real-ip $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:10088/api/add?key=adminkey123456;
location /10000 {
proxy_set_header X-real-ip $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:10088/api;
}
}
server {
listen 80;
listen [::]:80;
server_name 123.com;
return 301 https://$http_host$request_uri;
}