教程来源:1.反代Emby教程(Caddy版本)
Caddy版本(推荐,简单方便)
放行80/443端口
Caddy需要80申请证书,443用作HTTPS端口
UFW (Debian, Ubuntu)
sudo apt install ufw
ufw allow ssh
ufw allow 80/tcp
ufw allow 443/tcp
ufw enable
sudo apt install ufw
ufw allow ssh
ufw allow 80/tcp
ufw allow 443/tcp
ufw enable
sudo apt install ufw ufw allow ssh ufw allow 80/tcp ufw allow 443/tcp ufw enable
Firewalld (Centos, AlmaLinux)
sudo dnf install firewalld -y
sudo systemctl enable firewalld
sudo systemctl start firewalld
sudo firewall-cmd --permanent --add-port=80/tcp
sudo firewall-cmd --permanent --add-port=443/tcp
sudo firewall-cmd --reload
sudo dnf install firewalld -y
sudo systemctl enable firewalld
sudo systemctl start firewalld
sudo firewall-cmd --permanent --add-port=80/tcp
sudo firewall-cmd --permanent --add-port=443/tcp
sudo firewall-cmd --reload
sudo dnf install firewalld -y sudo systemctl enable firewalld sudo systemctl start firewalld sudo firewall-cmd --permanent --add-port=80/tcp sudo firewall-cmd --permanent --add-port=443/tcp sudo firewall-cmd --reload
安装Caddy
Debian, Ubuntu
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list sudo apt update sudo apt install caddy
Fedora, RedHat, CentOS, AlmaLinux, RockyLinux
dnf install 'dnf-command(copr)'
dnf copr enable @caddy/caddy
dnf install caddy
dnf install 'dnf-command(copr)'
dnf copr enable @caddy/caddy
dnf install caddy
dnf install 'dnf-command(copr)' dnf copr enable @caddy/caddy dnf install caddy
如果出现错误请逐行运行命令
设置开机自启Caddy
sudo systemctl enable caddy
sudo systemctl start caddy
sudo systemctl enable caddy
sudo systemctl start caddy
sudo systemctl enable caddy sudo systemctl start caddy
编辑Caddy配置文件
sudo nano /etc/caddy/Caddyfile
sudo nano /etc/caddy/Caddyfile
sudo nano /etc/caddy/Caddyfile
复制以下代码并按自己需求修改后保存
your.domain.com { # 这里写你用的域名
reverse_proxy https://target.domain:443 { # 这里写反代的域名,可以反代cf域名
header_up Host {upstream_hostport}
}
}
your.domain.com { # 这里写你用的域名
reverse_proxy https://target.domain:443 { # 这里写反代的域名,可以反代cf域名
header_up Host {upstream_hostport}
}
}
your.domain.com { # 这里写你用的域名
reverse_proxy https://target.domain:443 { # 这里写反代的域名,可以反代cf域名
header_up Host {upstream_hostport}
}
}
重启Caddy
sudo systemctl restart caddy
sudo systemctl restart caddy
sudo systemctl restart caddy
至此,可以使用新域名反代访问emby了。
Nginx版本
- 假定自己的域名是:
my.domain.com - 要反代的域名是:
proxy.domain.com - 以 Debian 12 系统为例子
安装Nginx
sudo apt update
sudo apt install nginx
sudo apt update
sudo apt install nginx
sudo apt update sudo apt install nginx
放行80/443端口
sudo apt install ufw -y
sudo ufw allow ssh
sudo ufw allow 443/tcp
sudo ufw allow 80/tcp
sudo ufw enable
sudo ufw reload
sudo apt install ufw -y
sudo ufw allow ssh
sudo ufw allow 443/tcp
sudo ufw allow 80/tcp
sudo ufw enable
sudo ufw reload
sudo apt install ufw -y sudo ufw allow ssh sudo ufw allow 443/tcp sudo ufw allow 80/tcp sudo ufw enable sudo ufw reload
设置 Nginx 开机自启
sudo systemctl enable nginx
sudo systemctl start nginx
sudo systemctl enable nginx
sudo systemctl start nginx
sudo systemctl enable nginx sudo systemctl start nginx
新建反代网站配置文件
cd /etc/nginx/sites-enabled
touch my.domain.com
cd /etc/nginx/sites-enabled
touch my.domain.com
cd /etc/nginx/sites-enabled touch my.domain.com
编辑反代配置文件
nano /etc/nginx/sites-enabled/my.domain.com
nano /etc/nginx/sites-enabled/my.domain.com
nano /etc/nginx/sites-enabled/my.domain.com
复制以下代码保存 (用于后续 Acme. Sh 使用 Nginx 来申请 SSL 证书)
server {
listen 80;
listen [::]:80;
server_name my.domain.com;
}
server {
listen 80;
listen [::]:80;
server_name my.domain.com;
}
server {
listen 80;
listen [::]:80;
server_name my.domain.com;
}
安装 acme. Sh
curl https://get.acme.sh | sh -s email=my@example.com
source ~/.bashrc
curl https://get.acme.sh | sh -s email=my@example.com
source ~/.bashrc
curl https://get.acme.sh | sh -s email=my@example.com source ~/.bashrc
申请证书
- 假定自己的域名是:
my.domain.com - 要反代的域名是:
proxy.domain.com
acme.sh --issue -d my.domain.com --nginx
acme.sh --issue -d my.domain.com --nginx
acme.sh --issue -d my.domain.com --nginx
运行后没有问题会得到如下结果
Your cert is in: /root/.acme.sh/my.domain.com_ecc/my.domain.com.cer
Your cert key is in: /root/.acme.sh/my.domain.com_ecc/my.domain.com.key
The intermediate CA cert is in: /root/.acme.sh/my.domain.com_ecc/ca.cer
And the full-chain cert is in: /root/.acme.sh/my.domain.com_ecc/fullchain.cer
Your cert is in: /root/.acme.sh/my.domain.com_ecc/my.domain.com.cer
Your cert key is in: /root/.acme.sh/my.domain.com_ecc/my.domain.com.key
The intermediate CA cert is in: /root/.acme.sh/my.domain.com_ecc/ca.cer
And the full-chain cert is in: /root/.acme.sh/my.domain.com_ecc/fullchain.cer
Your cert is in: /root/.acme.sh/my.domain.com_ecc/my.domain.com.cer Your cert key is in: /root/.acme.sh/my.domain.com_ecc/my.domain.com.key The intermediate CA cert is in: /root/.acme.sh/my.domain.com_ecc/ca.cer And the full-chain cert is in: /root/.acme.sh/my.domain.com_ecc/fullchain.cer
再次编辑反代配置文件
复制以下完整配置文件并按自己需求修改后保存
# 这部分用于Acme.sh使用Nginx来申请SSL证书
server {
listen 80;
listen [::]:80;
server_name my.domain.com;
}
server {
# 监听IPv4和IPv6的443端口,启用SSL和HTTP/2协议
listen 443 ssl http2;
listen [::]:443 ssl http2;
# 指定服务器名称(域名)
server_name my.domain.com;
# SSL证书配置
# 指定SSL证书文件路径,用于加密HTTPS通信
ssl_certificate /root/.acme.sh/my.domain.com_ecc/fullchain.cer;
# 指定SSL证书密钥文件路径
ssl_certificate_key /root/.acme.sh/my.domain.com_ecc/my.domain.com.key;
# SSL优化配置
ssl_protocols TLSv1.2 TLSv1.3; # 启用TLS 1.2和1.3协议,禁用不安全的旧版本
ssl_ciphers HIGH:!aNULL:!MD5; # 强制使用安全加密算法
ssl_prefer_server_ciphers on; # 优先使用服务器端的加密算法
ssl_session_cache shared:SSL:10m; # 启用SSL会话缓存以提高性能
ssl_session_timeout 1d; # 设置SSL会话缓存过期时间为1天
# 安全相关的HTTP头配置
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # 启用HSTS,强制所有子域名也使用HTTPS,缓存1年
add_header X-Frame-Options DENY; # 禁止页面被嵌入iframe,防止点击劫持
add_header X-Content-Type-Options nosniff; # 防止浏览器猜测文件类型
# 反向代理配置
location / {
# 将所有请求转发到后端服务器 https://proxy.domain.com:443
proxy_pass https://proxy.domain.com:443;
# 设置传递给后端的Host头信息为客户端请求的主机名
proxy_set_header Host $proxy_host;
# 设置X-Real-IP头,将客户端的真实IP传递给后端
proxy_set_header X-Real-IP $remote_addr;
# 设置X-Forwarded-For头,包含客户端的真实IP以及经过的代理IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 设置X-Forwarded-Proto头,指示原始请求的协议
proxy_set_header X-Forwarded-Proto $scheme;
# 配置代理SSL SNI(服务器名称指示)
proxy_ssl_name proxy.domain.com;
proxy_ssl_server_name on; # 启用SNI,使后端服务器根据域名提供正确的SSL证书
}
}
# 这部分用于Acme.sh使用Nginx来申请SSL证书
server {
listen 80;
listen [::]:80;
server_name my.domain.com;
}
server {
# 监听IPv4和IPv6的443端口,启用SSL和HTTP/2协议
listen 443 ssl http2;
listen [::]:443 ssl http2;
# 指定服务器名称(域名)
server_name my.domain.com;
# SSL证书配置
# 指定SSL证书文件路径,用于加密HTTPS通信
ssl_certificate /root/.acme.sh/my.domain.com_ecc/fullchain.cer;
# 指定SSL证书密钥文件路径
ssl_certificate_key /root/.acme.sh/my.domain.com_ecc/my.domain.com.key;
# SSL优化配置
ssl_protocols TLSv1.2 TLSv1.3; # 启用TLS 1.2和1.3协议,禁用不安全的旧版本
ssl_ciphers HIGH:!aNULL:!MD5; # 强制使用安全加密算法
ssl_prefer_server_ciphers on; # 优先使用服务器端的加密算法
ssl_session_cache shared:SSL:10m; # 启用SSL会话缓存以提高性能
ssl_session_timeout 1d; # 设置SSL会话缓存过期时间为1天
# 安全相关的HTTP头配置
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # 启用HSTS,强制所有子域名也使用HTTPS,缓存1年
add_header X-Frame-Options DENY; # 禁止页面被嵌入iframe,防止点击劫持
add_header X-Content-Type-Options nosniff; # 防止浏览器猜测文件类型
# 反向代理配置
location / {
# 将所有请求转发到后端服务器 https://proxy.domain.com:443
proxy_pass https://proxy.domain.com:443;
# 设置传递给后端的Host头信息为客户端请求的主机名
proxy_set_header Host $proxy_host;
# 设置X-Real-IP头,将客户端的真实IP传递给后端
proxy_set_header X-Real-IP $remote_addr;
# 设置X-Forwarded-For头,包含客户端的真实IP以及经过的代理IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 设置X-Forwarded-Proto头,指示原始请求的协议
proxy_set_header X-Forwarded-Proto $scheme;
# 配置代理SSL SNI(服务器名称指示)
proxy_ssl_name proxy.domain.com;
proxy_ssl_server_name on; # 启用SNI,使后端服务器根据域名提供正确的SSL证书
}
}
# 这部分用于Acme.sh使用Nginx来申请SSL证书
server {
listen 80;
listen [::]:80;
server_name my.domain.com;
}
server {
# 监听IPv4和IPv6的443端口,启用SSL和HTTP/2协议
listen 443 ssl http2;
listen [::]:443 ssl http2;
# 指定服务器名称(域名)
server_name my.domain.com;
# SSL证书配置
# 指定SSL证书文件路径,用于加密HTTPS通信
ssl_certificate /root/.acme.sh/my.domain.com_ecc/fullchain.cer;
# 指定SSL证书密钥文件路径
ssl_certificate_key /root/.acme.sh/my.domain.com_ecc/my.domain.com.key;
# SSL优化配置
ssl_protocols TLSv1.2 TLSv1.3; # 启用TLS 1.2和1.3协议,禁用不安全的旧版本
ssl_ciphers HIGH:!aNULL:!MD5; # 强制使用安全加密算法
ssl_prefer_server_ciphers on; # 优先使用服务器端的加密算法
ssl_session_cache shared:SSL:10m; # 启用SSL会话缓存以提高性能
ssl_session_timeout 1d; # 设置SSL会话缓存过期时间为1天
# 安全相关的HTTP头配置
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # 启用HSTS,强制所有子域名也使用HTTPS,缓存1年
add_header X-Frame-Options DENY; # 禁止页面被嵌入iframe,防止点击劫持
add_header X-Content-Type-Options nosniff; # 防止浏览器猜测文件类型
# 反向代理配置
location / {
# 将所有请求转发到后端服务器 https://proxy.domain.com:443
proxy_pass https://proxy.domain.com:443;
# 设置传递给后端的Host头信息为客户端请求的主机名
proxy_set_header Host $proxy_host;
# 设置X-Real-IP头,将客户端的真实IP传递给后端
proxy_set_header X-Real-IP $remote_addr;
# 设置X-Forwarded-For头,包含客户端的真实IP以及经过的代理IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 设置X-Forwarded-Proto头,指示原始请求的协议
proxy_set_header X-Forwarded-Proto $scheme;
# 配置代理SSL SNI(服务器名称指示)
proxy_ssl_name proxy.domain.com;
proxy_ssl_server_name on; # 启用SNI,使后端服务器根据域名提供正确的SSL证书
}
}
重启Nginx
nginx -s reload
nginx -s reload
nginx -s reload
至此,可以使用新域名反代访问emby了。
Expand and read the remaining 90%
发布者:木木,转载请注明出处:https://blog.mmcool.site/5872.html
微信 
支付宝 
Hi,朋友。欢迎来到木木の博客小站!