添加acme,frps和nginx项目

Deployments.sln

@@ -7,10 +7,19 @@ Project("{D954291E-2A0B-460D-934E-DC6B0785DB48}") = "Gitea", "Gitea\Gitea.shproj
 EndProject
 Project("{D954291E-2A0B-460D-934E-DC6B0785DB48}") = "NginxAndLetsencrypt", "NginxAndLetsencrypt\NginxAndLetsencrypt.shproj", "{57D7CB76-1A45-4A68-A84F-7E5034096F19}"
 EndProject
+Project("{D954291E-2A0B-460D-934E-DC6B0785DB48}") = "frps", "frps\frps.shproj", "{267AF5A6-ED6B-46C9-BC52-46988686265A}"
+EndProject
+Project("{D954291E-2A0B-460D-934E-DC6B0785DB48}") = "nginx", "nginx\nginx.shproj", "{36F1D233-DF91-469D-B27B-157982E326F0}"
+EndProject
+Project("{D954291E-2A0B-460D-934E-DC6B0785DB48}") = "acme", "acme\acme.shproj", "{E02725FD-AEB7-4D76-9390-E083E78237C5}"
+EndProject
 Global
 	GlobalSection(SharedMSBuildProjectFiles) = preSolution
+		frps\frps.projitems*{267af5a6-ed6b-46c9-bc52-46988686265a}*SharedItemsImports = 13
+		nginx\nginx.projitems*{36f1d233-df91-469d-b27b-157982e326f0}*SharedItemsImports = 13
 		NginxAndLetsencrypt\NginxAndLetsencrypt.projitems*{57d7cb76-1a45-4a68-a84f-7e5034096f19}*SharedItemsImports = 13
 		Gitea\Gitea.projitems*{816bea29-9cdb-439d-bc36-d2dd6c52bc69}*SharedItemsImports = 13
+		acme\acme.projitems*{e02725fd-aeb7-4d76-9390-e083e78237c5}*SharedItemsImports = 13
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE

acme/README.md

@@ -0,0 +1,62 @@
+## 前期准备
+
+主要是接下来安装acme时的gfw问题。如果是境内服务器，则有可能需要如下步骤。
+
+1. 小飞机的局域网内的代理地址。因为get.acme.sh中包含的脚本请求地址可能会被墙
+
+   `export http_proxy="172.18.184.139:10082"` 
+
+   `export https_proxy="172.18.184.139:10082"`
+
+2.  是因为据说在此加入上面的export命令可以实现开机自动开启代理。但没有尝试
+
+   `vim /etc/bashrc`
+
+3.  同上
+
+   `vim /etc/profile`
+
+## 安装acme
+
+1.  安装acme
+
+   `curl https://get.acme.sh | sh`
+
+2. 将dns api的key和secret存入环境变量。此处为阿里云，事前已经给对应SAM子账户分配了FullDnsApiAccess的权限。参见： https://blog.csdn.net/chen249191508/article/details/98088553  
+
+   `export Ali_Key="key"`
+
+   `export Ali_Secret="secret"` 
+
+   参见保密区域获取真实内容。注意，阿里云的控制台中，这两个值只在添加SAM子账户的时候出现，需要马上自行保存
+
+## 获取证书
+
+1. 申请安装证书。加--debug参数可以显示更多细节 
+
+   `acme.sh --debug --issue --dns dns_ali -d dev.woyue.org -d *.dev.woyue.org`
+
+2. 安装完毕后，检验是否配置自动任务  
+
+   `crontab -e`
+
+3. 确认当前证书  
+
+   `acme.sh --list` 
+
+## 安装证书
+
+1. 复制证书：
+
+   mkdir -p /srv/certbot/conf/live/dev.woyue.org
+
+   acme.sh --installcert -d dev.woyue.org -d *.dev.woyue.org \
+   --key-file /srv/certbot/conf/live/dev.woyue.org/privkey.pem \
+   --fullchain-file /srv/certbot/conf/live/dev.woyue.org/fullchain.pem \
+   --reloadcmd "docker restart nginxdocker_nginx_1"
+
+   注意，最后的nginxdocker_nginx_1为nginx容器的名称。请根据实际情况修改。**或不加此参数，手动重启nginx**。
+
+2. 生成：dhparams文件
+
+   openssl dhparam -out /srv/certbot/conf/ssl-dhparams.pem 2048

acme/acme.projitems

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
+    <HasSharedItems>true</HasSharedItems>
+    <SharedGUID>e02725fd-aeb7-4d76-9390-e083e78237c5</SharedGUID>
+  </PropertyGroup>
+  <PropertyGroup Label="Configuration">
+    <Import_RootNamespace>acme</Import_RootNamespace>
+  </PropertyGroup>
+  <ItemGroup>
+    <None Include="$(MSBuildThisFileDirectory)README.md" />
+  </ItemGroup>
+  <ItemGroup>
+    <Folder Include="$(MSBuildThisFileDirectory)certbot\conf\" />
+    <Folder Include="$(MSBuildThisFileDirectory)certbot\www\" />
+  </ItemGroup>
+</Project>

acme/acme.shproj

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>e02725fd-aeb7-4d76-9390-e083e78237c5</ProjectGuid>
+    <MinimumVisualStudioVersion>14.0</MinimumVisualStudioVersion>
+  </PropertyGroup>
+  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
+  <Import Project="$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)\CodeSharing\Microsoft.CodeSharing.Common.Default.props" />
+  <Import Project="$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)\CodeSharing\Microsoft.CodeSharing.Common.props" />
+  <PropertyGroup />
+  <Import Project="acme.projitems" Label="Shared" />
+  <Import Project="$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)\CodeSharing\Microsoft.CodeSharing.CSharp.targets" />
+</Project>

frps/README.md

@@ -0,0 +1,15 @@
+## 前期准备
+
+1. 用acme搞定泛域名ca证书。参看acme项目。
+2. 部署nginx docker。参看nginx项目。
+3. 根据nginx docker的网络设置，对应确定自己的docker-compose.yml文件中的对应内容设置正确。其中包括：
+   - ​	nginx所在的网络名称。配置到自己的docker-compose.yml文件中的网络定义中的external->name中去。
+   - 根据网络定义，设定自己的固定ip。
+   - 复制conf.d下的文件到nginx配置目录下的conf.d下。
+   - 确保刚复制的文件配置正确。如其中证书所在路径应符合之前acme复制证书时的目标目录。
+
+## 安装
+
+执行docker-compose up -d
+
+并验证是否成功。

frps/conf.d/frps.conf

@@ -0,0 +1,35 @@
+server {
+    listen 80;
+    server_name *.dev.woyue.org;
+    server_tokens off;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name *.dev.woyue.org;
+    server_tokens off;
+
+    ssl_certificate /etc/letsencrypt/live/dev.woyue.org/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/dev.woyue.org/privkey.pem;
+    #include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    location / {
+        #ip address below should changed accordingly.
+        proxy_pass http://172.20.0.3:8090;
+        proxy_set_header    Host                $http_host;
+        proxy_set_header    X-Real-IP           $remote_addr;
+        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+        proxy_http_version 1.1;
+        proxy_set_header    Upgrade             $http_upgrade;
+        proxy_set_header    Connection          $http_connection;
+    }
+}

frps/frps.projitems

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
+    <HasSharedItems>true</HasSharedItems>
+    <SharedGUID>267af5a6-ed6b-46c9-bc52-46988686265a</SharedGUID>
+  </PropertyGroup>
+  <PropertyGroup Label="Configuration">
+    <Import_RootNamespace>frps</Import_RootNamespace>
+  </PropertyGroup>
+  <ItemGroup>
+    <None Include="$(MSBuildThisFileDirectory)conf.d\frps.conf" />
+    <None Include="$(MSBuildThisFileDirectory)frps\conf\frps.ini" />
+    <None Include="$(MSBuildThisFileDirectory)frps\docker-compose.yml" />
+    <None Include="$(MSBuildThisFileDirectory)README.md" />
+  </ItemGroup>
+</Project>

frps/frps.shproj

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>267af5a6-ed6b-46c9-bc52-46988686265a</ProjectGuid>
+    <MinimumVisualStudioVersion>14.0</MinimumVisualStudioVersion>
+  </PropertyGroup>
+  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
+  <Import Project="$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)\CodeSharing\Microsoft.CodeSharing.Common.Default.props" />
+  <Import Project="$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)\CodeSharing\Microsoft.CodeSharing.Common.props" />
+  <PropertyGroup />
+  <Import Project="frps.projitems" Label="Shared" />
+  <Import Project="$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)\CodeSharing\Microsoft.CodeSharing.CSharp.targets" />
+</Project>

frps/frps/conf/frps.ini

@@ -0,0 +1,67 @@
+# [common] is integral section
+[common]
+# A literal address or host name for IPv6 must be enclosed
+# in square brackets, as in "[::1]:80", "[ipv6-host]:http" or "[ipv6-host%zone]:80"
+bind_addr = 0.0.0.0
+bind_port = 7000
+
+# udp port to help make udp hole to penetrate nat
+bind_udp_port = 7001
+
+# udp port used for kcp protocol, it can be same with 'bind_port'
+# if not set, kcp is disabled in frps
+kcp_bind_port = 7000
+
+# specify which address proxy will listen for, default value is same with bind_addr
+# proxy_bind_addr = 127.0.0.1
+
+# if you want to support virtual host, you must set the http port for listening (optional)
+# Note: http port and https port can be same with bind_port
+vhost_http_port = 8090
+vhost_https_port = 8443
+
+# response header timeout(seconds) for vhost http server, default is 60s
+# vhost_http_timeout = 60
+
+# set dashboard_addr and dashboard_port to view dashboard of frps
+# dashboard_addr's default value is same with bind_addr
+# dashboard is available only if dashboard_port is set
+dashboard_addr = 0.0.0.0
+dashboard_port = 7500
+
+# dashboard user and passwd for basic auth protect, if not set, both default value is admin
+dashboard_user = hmo
+dashboard_pwd = Dm19000o
+
+# dashboard assets directory(only for debug mode)
+# assets_dir = ./static
+# console or real logFile path like ./frps.log
+log_file = ./frps.log
+
+# trace, debug, info, warn, error
+log_level = info
+
+log_max_days = 3
+
+# auth token
+token = 83550348
+
+# heartbeat configure, it's not recommended to modify the default value
+# the default value of heartbeat_timeout is 90
+# heartbeat_timeout = 90
+
+# only allow frpc to bind ports you list, if you set nothing, there won't be any limit
+allow_ports = 43000-43010
+
+# pool_count in each proxy will change to max_pool_count if they exceed the maximum value
+max_pool_count = 5
+
+# max ports can be used for each client, default value is 0 means no limit
+max_ports_per_client = 0
+
+# if subdomain_host is not empty, you can set subdomain when type is http or https in frpc's configure file
+# when subdomain is test, the host used by routing is test.frps.com
+subdomain_host = dev.woyue.org
+
+# if tcp stream multiplexing is used, default is true
+tcp_mux = true

frps/frps/docker-compose.yml

@@ -0,0 +1,25 @@
+
+version: "3.5"
+
+networks:
+  default:
+    external:
+      name: nginx_firstnet
+
+services:
+  server:
+    image: "ruiny/frps:latest"
+    restart: always
+    networks:
+      default:
+        ipv4_address: 172.20.0.3
+    volumes:
+      - ./conf:/var/frp/conf
+    ports:
+      - "7000:7000"
+      - "7500:7500"
+      - "7001:7001"
+      - "8089:80"
+      - "8443:43"
+      - "43000-43010:43000-43010/udp"
+      - "43000-43010:43000-43010/tcp"

nginx/data/conf/conf.d/sample.conf.bk

@@ -0,0 +1,34 @@
+server {
+    listen 80;
+    server_name git.woyue.org;
+    server_tokens off;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name git.woyue.org;
+    server_tokens off;
+
+    ssl_certificate /etc/letsencrypt/live/git.woyue.org/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/git.woyue.org/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    location / {
+        proxy_pass http://172.20.0.3:3000; 
+        proxy_set_header    Host                $http_host;
+        proxy_set_header    X-Real-IP           $remote_addr;
+        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+        proxy_http_version 1.1;
+        proxy_set_header    Upgrade             $http_upgrade;
+        proxy_set_header    Connection          $http_connection;
+    }
+}

nginx/data/conf/nginx.conf

@@ -0,0 +1,40 @@
+user  root;
+worker_processes  1;
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+  
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+    autoindex  on;
+    gzip on;
+    gzip_min_length 1k;
+    gzip_buffers 4 16k;
+    #gzip_http_version 1.0;
+    gzip_comp_level 2;
+    gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
+    gzip_vary off;
+    gzip_disable "MSIE [1-6]\.";
+    
+    client_max_body_size         100M;
+    client_header_buffer_size     128k; 
+    large_client_header_buffers  4  128k;  
+
+
+    include /etc/nginx/conf.d/*.conf;
+ 
+}

nginx/docker-compose.yml

@@ -0,0 +1,31 @@
+
+version: "3.5"
+
+#设定network. 其他应用应设置network的external为本网络，以和nginx服务器互通。
+networks:
+  firstnet:
+    name:nginx_firstnet
+    ipam:
+      config:
+        - subnet: 172.20.0.0/16
+
+services:
+  nginx:
+    image: nginx:latest
+    restart: unless-stopped
+    volumes:
+      - ./data/conf/conf.d:/etc/nginx/conf.d
+      - ./data/conf/nginx.conf:/etc/nginx/nginx.conf
+      - ./data/html:/usr/share/nginx/html
+      - ./data/logs:/var/log/nginx
+      # 此处的配置取决于conf.d下的配置文件中如何配置证书路径。例如：“ssl_certificate /etc/letsencrypt/live/git.woyue.org/fullchain.pem;”等
+      - ../certbot/conf:/etc/letsencrypt
+      # 此处的配置取决于conf.d下的配置文件中的配置“location /.well-known/acme-challenge/”，可参看sample.conf：
+      - ../certbot/www:/var/www/certbot
+    networks:
+      firstnet:
+        ipv4_address: 172.20.0.2
+    ports:
+      - "80:80"
+      - "443:443"
+    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"

nginx/nginx.projitems

@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
+    <HasSharedItems>true</HasSharedItems>
+    <SharedGUID>36f1d233-df91-469d-b27b-157982e326f0</SharedGUID>
+  </PropertyGroup>
+  <PropertyGroup Label="Configuration">
+    <Import_RootNamespace>nginx</Import_RootNamespace>
+  </PropertyGroup>
+  <ItemGroup>
+    <None Include="$(MSBuildThisFileDirectory)docker-compose.yml" />
+    <None Include="$(MSBuildThisFileDirectory)data\conf\conf.d\sample.conf.bk" />
+    <None Include="$(MSBuildThisFileDirectory)data\conf\nginx.conf" />
+  </ItemGroup>
+  <ItemGroup>
+    <Folder Include="$(MSBuildThisFileDirectory)data\" />
+  </ItemGroup>
+</Project>

nginx/nginx.shproj

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>36f1d233-df91-469d-b27b-157982e326f0</ProjectGuid>
+    <MinimumVisualStudioVersion>14.0</MinimumVisualStudioVersion>
+  </PropertyGroup>
+  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
+  <Import Project="$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)\CodeSharing\Microsoft.CodeSharing.Common.Default.props" />
+  <Import Project="$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)\CodeSharing\Microsoft.CodeSharing.Common.props" />
+  <PropertyGroup />
+  <Import Project="nginx.projitems" Label="Shared" />
+  <Import Project="$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)\CodeSharing\Microsoft.CodeSharing.CSharp.targets" />
+</Project>