Различия

Показаны различия между двумя версиями страницы.

--- nginx_php [18.05.2025 18:27] – augin
+++ nginx_php [19.05.2025 06:52] (текущий) – [nginx] augin
@@ Строка 1: / Строка 1: @@
+====== install ======
 <code bash>
 opkg install nginx
@@ Строка 104: / Строка 106: @@
 <code bash>
-mkdir -p /etc/nginx/stream-enabled
+/etc/nginx/sites-available/YOU_DOMAIN
-cat > "/etc/nginx/stream-enabled/stream.conf" << EOF
-map \$ssl_preread_server_name \$sni_name {
-    hostnames;
-    ${reality_domain}      xray;
-    ${domain}           www;
-    default              xray;
-}
-upstream xray {
-    server 127.0.0.1:8443;
-}
-upstream www {
-    server 127.0.0.1:7443;
-}
-server {
-    proxy_protocol on;
-    set_real_ip_from unix:;
-    listen          443;
-    proxy_pass      \$sni_name;
-    ssl_preread     on;
-}
-EOF
-grep -xqFR "stream { include /etc/nginx/stream-enabled/*.conf; }" /etc/nginx/* ||echo "stream { include /etc/nginx/stream-enabled/*.conf; }" >> /etc/nginx/nginx.conf
-grep -xqFR "load_module modules/ngx_stream_module.so;" /etc/nginx/* || sed -i '1s/^/load_module \/usr\/lib\/nginx\/modules\/ngx_stream_module.so; /' /etc/nginx/nginx.conf
-grep -xqFR "load_module modules/ngx_stream_geoip2_module.so;" /etc/nginx* || sed -i '2s/^/load_module \/usr\/lib\/nginx\/modules\/ngx_stream_geoip2_module.so; /' /etc/nginx/nginx.conf
-grep -xqFR "worker_rlimit_nofile 16384;" /etc/nginx/* ||echo "worker_rlimit_nofile 16384;" >> /etc/nginx/nginx.conf
-sed -i "/worker_connections/c\worker_connections 4096;" /etc/nginx/nginx.conf
-cat > "/etc/nginx/sites-available/80.conf" << EOF
-server {
-    listen 80;
-    server_name ${domain} ${reality_domain};
-    return 301 https://\$host\$request_uri;
-}
-EOF
-cat > "/etc/nginx/sites-available/${domain}" << EOF
 server {
-	server_tokens off;
+        server_tokens off;
-	server_name ${domain};
+        server_name YOU_DOMAIN *.YOU_DOMAIN;
-	listen 7443 ssl http2 proxy_protocol;
+        listen 80;
-	listen [::]:7443 ssl http2 proxy_protocol;
+        listen [::]:80;
-	index index.html index.htm index.php index.nginx-debian.html;
+        listen 443 ssl http2;
-	root /var/www/html/;
+        listen [::]:443 ssl http2;
-	ssl_protocols TLSv1.2 TLSv1.3;
+        #http2 on; http3 on;
-	ssl_ciphers HIGH:!aNULL:!eNULL:!MD5:!DES:!RC4:!ADH:!SSLv3:!EXP:!PSK:!DSS;
+        index index.html index.htm index.php index.nginx-debian.html;
-	ssl_certificate /etc/letsencrypt/live/$domain/fullchain.pem;
+        root /var/www/html/;
-	ssl_certificate_key /etc/letsencrypt/live/$domain/privkey.pem;
+        ssl_protocols TLSv1.2 TLSv1.3;
-	if (\$host !~* ^(.+\.)?$domain\$ ){return 444;}
+        ssl_ciphers HIGH:!aNULL:!eNULL:!MD5:!DES:!RC4:!ADH:!SSLv3:!EXP:!PSK:!DSS;
-	if (\$scheme ~* https) {set \$safe 1;}
+        ssl_certificate /etc/letsencrypt/live/YOU_DOMAIN/fullchain.pem;
-	if (\$ssl_server_name !~* ^(.+\.)?$domain\$ ) {set \$safe "\${safe}0"; }
+        ssl_certificate_key /etc/letsencrypt/live/YOU_DOMAIN/privkey.pem;
-	if (\$safe = 10){return 444;}
+        if ($host !~* ^(.+\.)?YOU_DOMAIN$ ){return 444;}
-	if (\$request_uri ~ "(\"|'|\`|~|,|:|--|;|%|\\$|&&|\?\?|0x00|0X00|\||\\|\{|\}|\[|\]|<|>|\.\.\.|\.\.\/|\/\/\/)"){set \$hack 1;}
+        if ($scheme ~* https) {set $safe 1;}
-	error_page 400 401 402 403 500 501 502 503 504 =404 /404;
+        if ($ssl_server_name !~* ^(.+\.)?YOU_DOMAIN$ ) {set $safe "${safe}0"; }
-	proxy_intercept_errors on;
+        if ($safe = 10){return 444;}
-	#X-UI Admin Panel
+        if ($request_uri ~ "(\"|'|`|~|,|:|--|;|%|\$|&&|\?\?|0x00|0X00|\||\|\{|\}|\[|\]|<|>|\.\.\.|\.\.\/|\/\/\/)"){set $hack 1;}
-	location /${panel_path}/ {
+        error_page 400 402 403 500 501 502 503 504 =404 /404;
-		proxy_redirect off;
+        proxy_intercept_errors on;
-		proxy_set_header Host \$host;
+        #X-UI Admin Panel
-		proxy_set_header X-Real-IP \$remote_addr;
+        location /RANDOM_STRING/ {
-		proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+                #auth_basic "Restricted Access";
-		proxy_pass http://127.0.0.1:${panel_port};
+                #auth_basic_user_file /etc/nginx/.htpasswd;
-		break;
-	}
-        location /${panel_path} {
-		proxy_redirect off;
-		proxy_set_header Host \$host;
-		proxy_set_header X-Real-IP \$remote_addr;
-		proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
-		proxy_pass http://127.0.0.1:${panel_port};
-		break;
-	}
-  	#sub2sing-box
-	location /${sub2singbox_path}/ {
-		proxy_redirect off;
-		proxy_set_header Host \$host;
-		proxy_set_header X-Real-IP \$remote_addr;
-		proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
-		proxy_pass http://127.0.0.1:8080/;
-		}
-    # Path to open clash.yaml and generate YAML
-    location ~ ^/${web_path}/clashmeta/(.+)$ {
-        default_type text/plain;
-        ssi on;
-        ssi_types text/plain;
-        set \$subid \$1;
-        root /var/www/subpage;
-        try_files /clash.yaml =404;
-    }
-    # web
-    location ~ ^/${web_path} {
-        root /var/www/subpage;
-        index index.html;
-        try_files \$uri \$uri/ /index.html =404;
-    }
- 	#Subscription Path (simple/encode)
-        location /${sub_path} {
-                if (\$hack = 1) {return 404;}
                 proxy_redirect off;
-                proxy_set_header Host \$host;
+                proxy_set_header Host $host;
-                proxy_set_header X-Real-IP \$remote_addr;
+                proxy_set_header X-Real-IP $remote_addr;
-                proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-                proxy_pass http://127.0.0.1:${sub_port};
+                proxy_pass http://127.0.0.1:RANDOM_PORT;
                 break;
         }
-	location /${sub_path}/ {
+        #Subscription Path (simple/encode)
-                if (\$hack = 1) {return 404;}
+        location ~ ^/(?<fwdport>\d+)/sub/(?<fwdpath>.*)$ {
+                if ($hack = 1) {return 404;}
                 proxy_redirect off;
-                proxy_set_header Host \$host;
+                proxy_set_header Host $host;
-                proxy_set_header X-Real-IP \$remote_addr;
+                proxy_set_header X-Real-IP $remote_addr;
-                proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-                proxy_pass http://127.0.0.1:${sub_port};
+                proxy_pass http://127.0.0.1:$fwdport/sub/$fwdpath$is_args$args;
                 break;
         }
-	#Subscription Path (json/fragment)
+        #Subscription Path (json/fragment)
-        location /${json_path} {
+        location ~ ^/(?<fwdport>\d+)/json/(?<fwdpath>.*)$ {
-                if (\$hack = 1) {return 404;}
+                if ($hack = 1) {return 404;}
                 proxy_redirect off;
-                proxy_set_header Host \$host;
+                proxy_set_header Host $host;
-                proxy_set_header X-Real-IP \$remote_addr;
+                proxy_set_header X-Real-IP $remote_addr;
-                proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-                proxy_pass http://127.0.0.1:${sub_port};
+                proxy_pass http://127.0.0.1:$fwdport/json/$fwdpath$is_args$args;
                 break;
         }
-	location /${json_path}/ {
+        #Xray Config Path
-                if (\$hack = 1) {return 404;}
+        location ~ ^/(?<fwdport>\d+)/(?<fwdpath>.*)$ {
-                proxy_redirect off;
+                if ($hack = 1) {return 404;}
-                proxy_set_header Host \$host;
+                #if ($cloudflare_ip != 1) {return 404;}
-                proxy_set_header X-Real-IP \$remote_addr;
+                #if ($http_cf_ipcountry !~* "XX"){ return 404; }
-                proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+                #if ($http_user_agent ~* "(bot|clash|fair|go-http|hiddify|java|neko|node|proxy|python|ray|sager|sing|tunnel|v2box|vpn)") { return 404; }
-                proxy_pass http://127.0.0.1:${sub_port};
+                client_max_body_size 0;
+                client_body_timeout 1d;
+                grpc_read_timeout 1d;
+                grpc_socket_keepalive on;
+                proxy_read_timeout 1d;
+                proxy_http_version 1.1;
+                proxy_buffering off;
+                proxy_request_buffering off;
+                proxy_socket_keepalive on;
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection "upgrade";
+                proxy_set_header Host $host;
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                if ($content_type ~* "GRPC") { grpc_pass grpc://127.0.0.1:$fwdport$is_args$args; break; }
+                proxy_pass http://127.0.0.1:$fwdport$is_args$args;
                 break;
         }
-        #XHTTP
+         location / { try_files $uri $uri/ =404; }
-        location /${xhttp_path} {
-          grpc_pass grpc://unix:/dev/shm/uds2023.sock;
-          grpc_buffer_size         16k;
-          grpc_socket_keepalive    on;
-          grpc_read_timeout        1h;
-          grpc_send_timeout        1h;
-          grpc_set_header Connection         "";
-          grpc_set_header X-Forwarded-For    \$proxy_add_x_forwarded_for;
-          grpc_set_header X-Forwarded-Proto  \$scheme;
-          grpc_set_header X-Forwarded-Port   \$server_port;
-          grpc_set_header Host               \$host;
-          grpc_set_header X-Forwarded-Host   \$host;
-          }
- 	#Xray Config Path
-	location ~ ^/(?<fwdport>\d+)/(?<fwdpath>.*)\$ {
-	$CF_IP	if (\$cloudflare_ip != 1) {return 404;}
-		if (\$hack = 1) {return 404;}
-		client_max_body_size 0;
-		client_body_timeout 1d;
-		grpc_read_timeout 1d;
-		grpc_socket_keepalive on;
-		proxy_read_timeout 1d;
-		proxy_http_version 1.1;
-		proxy_buffering off;
-		proxy_request_buffering off;
-		proxy_socket_keepalive on;
-		proxy_set_header Upgrade \$http_upgrade;
-		proxy_set_header Connection "upgrade";
-		proxy_set_header Host \$host;
-		proxy_set_header X-Real-IP \$remote_addr;
-		proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
-		#proxy_set_header CF-IPCountry \$http_cf_ipcountry;
-		#proxy_set_header CF-IP \$realip_remote_addr;
-		if (\$content_type ~* "GRPC") {
-			grpc_pass grpc://127.0.0.1:\$fwdport\$is_args\$args;
-			break;
-		}
-		if (\$http_upgrade ~* "(WEBSOCKET|WS)") {
-			proxy_pass http://127.0.0.1:\$fwdport\$is_args\$args;
-			break;
-	        }
-		if (\$request_method ~* ^(PUT|POST|GET)\$) {
-			proxy_pass http://127.0.0.1:\$fwdport\$is_args\$args;
-			break;
-		}
-	}
-	location / { try_files \$uri \$uri/ =404; }
 }
-EOF
-cat > "/etc/nginx/sites-available/${reality_domain}" << EOF
-server {
-	server_tokens off;
-	server_name ${reality_domain};
-	listen 9443 ssl http2;
-	listen [::]:9443 ssl http2;
-	index index.html index.htm index.php index.nginx-debian.html;
-	root /var/www/html/;
-	ssl_protocols TLSv1.2 TLSv1.3;
-	ssl_ciphers HIGH:!aNULL:!eNULL:!MD5:!DES:!RC4:!ADH:!SSLv3:!EXP:!PSK:!DSS;
-	ssl_certificate /etc/letsencrypt/live/$reality_domain/fullchain.pem;
-	ssl_certificate_key /etc/letsencrypt/live/$reality_domain/privkey.pem;
-	if (\$host !~* ^(.+\.)?${reality_domain}\$ ){return 444;}
-	if (\$scheme ~* https) {set \$safe 1;}
-	if (\$ssl_server_name !~* ^(.+\.)?${reality_domain}\$ ) {set \$safe "\${safe}0"; }
-	if (\$safe = 10){return 444;}
-	if (\$request_uri ~ "(\"|'|\`|~|,|:|--|;|%|\\$|&&|\?\?|0x00|0X00|\||\\|\{|\}|\[|\]|<|>|\.\.\.|\.\.\/|\/\/\/)"){set \$hack 1;}
-	error_page 400 401 402 403 500 501 502 503 504 =404 /404;
-	proxy_intercept_errors on;
-	#X-UI Admin Panel
-	location /${panel_path}/ {
-		proxy_redirect off;
-		proxy_set_header Host \$host;
-		proxy_set_header X-Real-IP \$remote_addr;
-		proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
-		proxy_pass http://127.0.0.1:${panel_port};
-		break;
-	}
-        location /$panel_path {
-		proxy_redirect off;
-		proxy_set_header Host \$host;
-		proxy_set_header X-Real-IP \$remote_addr;
-		proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
-		proxy_pass http://127.0.0.1:${panel_port};
-		break;
-	}
-  	#sub2sing-box
-	location /${sub2singbox_path}/ {
-		proxy_redirect off;
-		proxy_set_header Host \$host;
-		proxy_set_header X-Real-IP \$remote_addr;
-		proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
-		proxy_pass http://127.0.0.1:8080/;
-		}
-    # Path to open clash.yaml and generate YAML
-    location ~ ^/${web_path}/clashmeta/(.+)$ {
-        default_type text/plain;
-        ssi on;
-        ssi_types text/plain;
-        set \$subid \$1;
-        root /var/www/subpage;
-        try_files /clash.yaml =404;
-    }
-    # web
-    location ~ ^/${web_path} {
-        root /var/www/subpage;
-        index index.html;
-        try_files \$uri \$uri/ /index.html =404;
-    }
- 	#Subscription Path (simple/encode)
-        location /${sub_path} {
-                if (\$hack = 1) {return 404;}
-                proxy_redirect off;
-                proxy_set_header Host \$host;
-                proxy_set_header X-Real-IP \$remote_addr;
-                proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
-                proxy_pass http://127.0.0.1:${sub_port};
-                break;
-        }
-	location /${sub_path}/ {
-                if (\$hack = 1) {return 404;}
-                proxy_redirect off;
-                proxy_set_header Host \$host;
-                proxy_set_header X-Real-IP \$remote_addr;
-                proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
-                proxy_pass http://127.0.0.1:${sub_port};
-                break;
-        }
-	#Subscription Path (json/fragment)
-        location /${json_path} {
-                if (\$hack = 1) {return 404;}
-                proxy_redirect off;
-                proxy_set_header Host \$host;
-                proxy_set_header X-Real-IP \$remote_addr;
-                proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
-                proxy_pass http://127.0.0.1:${sub_port};
-                break;
-        }
-	location /${json_path}/ {
-                if (\$hack = 1) {return 404;}
-                proxy_redirect off;
-                proxy_set_header Host \$host;
-                proxy_set_header X-Real-IP \$remote_addr;
-                proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
-                proxy_pass http://127.0.0.1:${sub_port};
-                break;
-        }
-        #XHTTP
-        location /${xhttp_path} {
-          grpc_pass grpc://unix:/dev/shm/uds2023.sock;
-          grpc_buffer_size         16k;
-          grpc_socket_keepalive    on;
-          grpc_read_timeout        1h;
-          grpc_send_timeout        1h;
-          grpc_set_header Connection         "";
-          grpc_set_header X-Forwarded-For    \$proxy_add_x_forwarded_for;
-          grpc_set_header X-Forwarded-Proto  \$scheme;
-          grpc_set_header X-Forwarded-Port   \$server_port;
-          grpc_set_header Host               \$host;
-          grpc_set_header X-Forwarded-Host   \$host;
-          }
- 	#Xray Config Path
-	location ~ ^/(?<fwdport>\d+)/(?<fwdpath>.*)\$ {
-	$CF_IP	if (\$cloudflare_ip != 1) {return 404;}
-		if (\$hack = 1) {return 404;}
-		client_max_body_size 0;
-		client_body_timeout 1d;
-		grpc_read_timeout 1d;
-		grpc_socket_keepalive on;
-		proxy_read_timeout 1d;
-		proxy_http_version 1.1;
-		proxy_buffering off;
-		proxy_request_buffering off;
-		proxy_socket_keepalive on;
-		proxy_set_header Upgrade \$http_upgrade;
-		proxy_set_header Connection "upgrade";
-		proxy_set_header Host \$host;
-		proxy_set_header X-Real-IP \$remote_addr;
-		proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
-		#proxy_set_header CF-IPCountry \$http_cf_ipcountry;
-		#proxy_set_header CF-IP \$realip_remote_addr;
-		if (\$content_type ~* "GRPC") {
-			grpc_pass grpc://127.0.0.1:\$fwdport\$is_args\$args;
-			break;
-		}
-		if (\$http_upgrade ~* "(WEBSOCKET|WS)") {
-			proxy_pass http://127.0.0.1:\$fwdport\$is_args\$args;
-			break;
-	        }
-		if (\$request_method ~* ^(PUT|POST|GET)\$) {
-			proxy_pass http://127.0.0.1:\$fwdport\$is_args\$args;
-			break;
-		}
-	}
-	location / { try_files \$uri \$uri/ =404; }
-}
-EOF
 </code>