Linux panel series configure reverse proxy and use non-443 port for publishing
本文最后更新于 347 天前,其中的信息可能已经有所发展或是发生改变,如有失效可到评论区留言。

Preface

Basically, all applications deployed in the home data center are finally published to the outside through the reverse proxy. This is the same as configuring a reverse proxy on the cloud host. The only difference is that port 443 cannot be used for publishing. Since I use the Baota Linux panel to implement the reverse proxy, this article will take the Baota Linux panel as an example to briefly describe how to configure the domain namewww.example.comSteps to configure a reverse proxy and enable https.


It is recommended that everyone use https. It is better not to use http. On the one hand, http is indeed not safe. On the other hand, many browsers will prompt that it is not safe when accessing http, which is very annoying.


Add a site

Select "Website" - "Add Site":

image.png

If it is a cloud host with a public IP and the domain name has been registered, port 443 is available and the domain name in the above picture does not need to be followed by the port number. If it is a home broadband or an unregistered cloud host, only non-443 ports can be used (44443 is just an example, you can fill in non-443 and 80 and other more sensitive ports at will, as long as the port is reachable, but it is best to be easy to remember~), and finally click "Submit" in the lower right corner.

Setting up SSL Certificate


There are two ways to obtain an SSL certificate:
1. Manual application
From each cloud provider, as long as you purchase a domain name, you can get a certain number of free one-year certificates (usually 20). The following uses Alibaba Cloud and Tencent Cloud as examples to explain the application location.
Ali Cloud:
The application location is "Digital Certificate Management Service" - "SSL Certificate" - "Free Certificate" - "Create Certificate":

image.png

Alibaba Cloud provides 20 free certificates per year, and I have only one left.
Tencent Cloud:
The application location is "SSL Certificate" - "My Certificate" - "Free Certificate" - "Apply for Free Certificate":
image.png

It says 50, but Tencent domain names can only be used for 20, which is the same as Alibaba Cloud.

After the certificate is issued, if you want to download it, just download nginx:

image.png

2. Automatic application
这个主要是指的Let’s Encrypt,可以免费申请有效期3个月的证书,并可以自动续签,但是一个主域名168小时之内只能申请5次,达到以后就只能等168小时了。


The interface for successful site creation is as follows:

image.png

In the above picture, click "Settings" in the red box on the right to enter the site settings interface:
image.png

Click on SSL in the red box on the left side of the above picture, and the interface is as follows:
image.png

If you add the SSL certificate manually, unzip the downloaded nginx certificate in the current certificate location of the "red box" in the above picture, and open it with a text editor.www.example.com.keyFile, copy all the contents into the key (KEY) in the red box on the left bottom of the picture above; open it with a text editorwww.example.com.pemFile (in fact, the contents of .pem and .crt files are the same), copy all the contents into the certificate (PEM) in the red box on the lower right side of the picture above, and then click the green button "Ensure and Enable Certificate" below.

If you want to useLet's Encrypt自动申请SSL证书,点击Let’s Encrypt标签,如下图:

image.png

推荐验证方式使用DNS验证,因为如果正确设置了DNS服务提供商的的API,例如阿里云DNS以及腾讯云DnsPod的API,Let’s Encrypt可以在证书到期前自动续期,理论上就可以永远不担心SSL证书过期了。最后点击下方的绿色按钮"申请",正常的话等一会SSL证书就自动申请下来了:
image.png

Modify the site configuration file (optional)

The reason why it is optional is that as mentioned earlier, whether there is a legal 443 port registered. If so, this step is unnecessary. If not, this step is necessary.

After setting up the SSL certificate in the previous section, the contents of the configuration file are as follows:

image.png

As shown in the red box on the right side of the above picture, the default Baota panel sets the SSL listening port to 443 by default. If there is a legitimate port 443, this is of course no problem, but if not, this will directly lead to the failure of external browser access to establish an SSL connection, so you need to change 443 to the port you configured, in this article it is 44443, so the modified content is as follows:
image.png

You only need to change this one place, then click the green "Save" button below.

Setting up a reverse proxy

Finally, we get to the point of this article, setting up a reverse proxy. The previous parts are just preparations.

image.png

Click the reverse proxy in the red box on the left of the above picture, and the following interface will appear:
image.png

Click "Add Reverse Proxy" in the red box above, and the following interface will appear:
image.png

If the IP of the intranet application is 192.168.1.100 and the port is 8000, the correct configuration is as follows:
image.png

There is not much to say about the "target URL", but here I would like to mention the sending domain name and content replacement.

The default value of the domain name sent is $host. Generally, you can leave it unchanged. This means that the domain name that your browser accesses iswww.example.comPassed to the application corresponding to the target URL, many applications do not care about this. However, there are some special applications, such as using minio to build cos (see article:Docker series builds a private COS platform based on minio), the docker it deploys only recognizes host 127.0.0.1 (very speechless), so for minio, the default value cannot be used to send the domain name. The following is my configuration:

image.png

There are also some other applications, such as wordpress and nextcloud, which have to hard-code the access domain name inside the application. These may require modifying the sending domain name.

Content replacement is useful in some special occasions. For example, the free version page of some software has many words like pro. You can directly use content replacement to replace pro with blank or other words. If you are interested, you can try it.

In addition: This article mainly describes the specific steps of using the Baota Linux panel to build a reverse proxy. It does not involve too much explanation of the reverse proxy theory. If you want to further understand the role and working method of the reverse proxy, you can refer to my other two articles:Home Data Center Series Application Release - Reverse Proxy (Part 1)andHome Data Center Series Application Release - Reverse Proxy (Part 2).

The content of the blog is original. Please indicate the source when reprinting! For more blog articles, you can go toSitemapUnderstand. The RSS address of the blog is:https://blog.tangwudi.com/feed, welcome to subscribe; if necessary, you can joinTelegram GroupDiscuss the problem together.
No Comments

Send Comment Edit Comment


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠(ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ°Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
Emoticons
Emoji
Little Dinosaur
flower!
Previous
Next
       

This site has disabled the right mouse button and various shortcut keys. The code block content can be copied directly by clicking the copy button in the upper right corner

en_US