mirror.flxxyz.com nginx反代配置(gist.github.com & open.douyucdn.cn & raw.githubusercontent.com & gist.githubusercontent.com)

index.html

<!DOCTYPE html>
<html>
<head>
<meta name="content-type" content="text/html;charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0, viewport-fit=cover" />
<title>hello mirror</title>
</head>
<body>
<h1>Hello Mirror</h1>
<h2>Support Server</h2>
<ul>
<li><a href="/douyu/api/RoomApi/room/452628" rel="nofollow">mirror.flxxyz.com/douyu/&lt;replace_path&gt;</a>&nbsp;&nbsp;example: open.douyucdn.cn/&lt;replace_path&gt;</li>
<li><a href="/githubraw/golang/go/master/README.md" rel="nofollow">mirror.flxxyz.com/githubraw/&lt;replace_path&gt;</a>&nbsp;&nbsp;exmaple: raw.githubusercontent.com/&lt;replace_path&gt;</li>
<li><a href="/githubassets/apple-touch-icon-144x144.png" rel="nofollow">mirror.flxxyz.com/githubassets/&lt;replace_path&gt;</a>&nbsp;&nbsp;exmaple: github.githubassets.com/&lt;replace_path&gt;</li>
<li><a href="/gist/flxxyz" rel="nofollow">mirror.flxxyz.com/gist/&lt;replace_path&gt;</a>&nbsp;&nbsp;exmaple: gist.github.com/&lt;replace_path&gt;</li>
<li><a href="/gistraw/flxxyz/b7ec986055f06269960c1bdf7af66bec/raw/ce7a4ab952d67a13f8bd7c35ede4dfebb9219b9b/CheckIPvNSupport.go" rel="nofollow">mirror.flxxyz.com/gistraw/&lt;replace_path&gt;</a>&nbsp;&nbsp;exmaple: gist.githubusercontent.com/&lt;replace_path&gt;</li>
</ul>
<p>power by <a href="https://github.com/flxxyz">flxxyz</a>.</p>
</body>
</html>

mirror.conf

upstream raw-github {
    server raw.githubusercontent.com:443;
    keepalive 32;
}

upstream raw-gist-github {
    server gist.githubusercontent.com:443;
    keepalive 32;
}

upstream assets-github {
    server github.githubassets.com:443;
    keepalive 32;
}

upstream open-douyu {
    server open.douyucdn.cn:443;
    keepalive 32;
}

server {
    listen [::]:80;
    listen 80;
    server_name mirror.flxxyz.com;
    return 301 https://$host$request_uri;
}

server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name mirror.flxxyz.com;
    index index.html;
    root /www/wwwroot/mirror_flxxyz_com;

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /home/someone/.acme.sh/mirror.flxxyz.com/fullchain.cer;

    ssl_certificate /home/someone/.acme.sh/mirror.flxxyz.com/fullchain.cer;
    ssl_certificate_key /home/someone/.acme.sh/mirror.flxxyz.com/mirror.flxxyz.com.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    ssl_early_data on;

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_session_tickets off;

    error_page 497  https://$host$request_uri;

    location ^~ /githubraw/ {
        if ($invalid_referer){
            return 403;
        }

        proxy_hide_header content-security-policy;
        proxy_hide_header strict-transport-security;
        proxy_hide_header set-cookie;
        proxy_hide_header x-pjax-url;

        proxy_buffering off;
        proxy_buffer_size 4k;
        proxy_buffers 4 32k;
        proxy_busy_buffers_size 64k;

        proxy_set_header Early-Data $ssl_early_data;
        proxy_set_header User-Agent $http_user_agent;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host raw.githubusercontent.com;

        proxy_cache_valid   200 302 1h;
        proxy_cache_valid   404 1m;
        proxy_cache_use_stale error timeout invalid_header updating
            http_500 http_502 http_503 http_504;

        proxy_http_version 1.1;
        proxy_connect_timeout 30s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
        proxy_redirect off;
        client_max_body_size 20m;

        proxy_pass https://raw-github/;
    }

    location ^~ /gist/ {
        proxy_hide_header referrer-policy;
        proxy_hide_header content-security-policy;
        proxy_hide_header strict-transport-security;
        proxy_hide_header set-cookie;

        proxy_set_header Early-Data $ssl_early_data;
        proxy_set_header User-Agent $http_user_agent;
        proxy_set_header Accept-Encoding "";

        proxy_cache_valid   200 302 1h;
        proxy_cache_valid   404 1m;
        proxy_cache_use_stale error timeout invalid_header updating
            http_500 http_502 http_503 http_504;

        proxy_redirect '//gist.github.com/' '//mirror.flxxyz.com/gist/';
        proxy_redirect '//gist.githubusercontent.com/' '//mirror.flxxyz.com/gistraw/';

        sub_filter '="/' '="https://mirror.flxxyz.com/gist/';
        sub_filter '//gist.github.com/' '//mirror.flxxyz.com/gist/';
        sub_filter '//github.githubassets.com/' '//mirror.flxxyz.com/githubassets/';
        sub_filter_once off;
        sub_filter_last_modified on;
        sub_filter_types *;

        proxy_http_version 1.1;
        proxy_connect_timeout 30s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
        client_max_body_size 5m;

        proxy_pass https://gist.github.com/;
    }

    location ^~ /gistraw/ {
        if ($invalid_referer){
            return 403;
        }

        proxy_hide_header content-security-policy;
        proxy_hide_header strict-transport-security;
        proxy_hide_header set-cookie;
        proxy_hide_header x-pjax-url;

        proxy_buffering off;
        proxy_buffer_size 4k;
        proxy_buffers 4 32k;
        proxy_busy_buffers_size 64k;

        proxy_set_header Early-Data $ssl_early_data;
        proxy_set_header User-Agent $http_user_agent;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host gist.githubusercontent.com;

        proxy_cache_valid   200 302 1h;
        proxy_cache_valid   404 1m;
        proxy_cache_use_stale error timeout invalid_header updating
            http_500 http_502 http_503 http_504;

        proxy_http_version 1.1;
        proxy_connect_timeout 30s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
        proxy_redirect off;
        client_max_body_size 20m;

        proxy_pass https://raw-gist-github/;
    }

    location ^~ /githubassets/ {
        proxy_hide_header content-security-policy;
        proxy_hide_header strict-transport-security;

        proxy_buffering off;
        proxy_buffer_size 4k;
        proxy_buffers 4 32k;
        proxy_busy_buffers_size 64k;

        proxy_set_header Early-Data $ssl_early_data;
        proxy_set_header User-Agent $http_user_agent;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host github.githubassets.com;
        proxy_set_header REMOTE-HOST $remote_addr;
        proxy_ignore_headers set-cookie cache-control expires;

        proxy_cache_key $host$uri$is_args$args;
        proxy_cache_valid 200 304 301 302 480m;
        proxy_cache_valid 404 1m;
        expires 12h;
        client_max_body_size 5m;

        proxy_pass https://assets-github/;
    }

    location ^~ /douyu/ {
        proxy_buffering off;
        proxy_buffer_size 4k;
        proxy_buffers 4 32k;
        proxy_busy_buffers_size 64k;

        proxy_set_header Early-Data $ssl_early_data;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host open.douyucdn.cn;

        proxy_cache_valid   200 302 1h;
        proxy_cache_valid   404 1m;
        proxy_cache_use_stale error timeout invalid_header updating
            http_500 http_502 http_503 http_504;

        proxy_http_version 1.1;
        proxy_connect_timeout 30s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
        proxy_redirect off;
        client_max_body_size 5m;

        proxy_pass https://open-douyu/;
    }

    location ~ \.well-known {
        allow all;
    }

    location /robots.txt {
        allow all;
    }

    # Block search engine
    if ($http_user_agent ~* "qihoobot|Baiduspider|Bingbot|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot") {
        return 403;
    }

    access_log  /www/wwwlogs/mirror_flxxyz_com.log;
    error_log  /www/wwwlogs/mirror_flxxyz_com.error.log;
}

搜索 mirror.flxxyz.com 替换为自己服务地址

简单的证书申请

# 下载 acme.sh
curl https://get.acme.sh | sh -s email=可访问的邮箱地址

开始申请证书

通过网站验证

acme.sh --issue -d 填上申请的域名 --webroot /path/to/网站的绝对根目录

通过 dns 申请

直接将 cloudflare 弄到的 apikey 放在里面

vim ~/.acme.sh/account.conf

填这几个变量就行

SAVED_CF_Key='1649d5f0000000000005ded4434e4'
SAVED_CF_Email='登录的邮箱'
USER_PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'

开始申请

acme.sh --issue --dns dns_cf -d 填上申请的域名 --log

简单的 openssl 自签证书

生成证书密钥

openssl genrsa -out server.key 4096

生成证书请求

openssl req -new -key server.key -out server.csr \
  -subj "/C=US/ST=Washington/L=Washington/CN=tiktok.com/subjectAltName=*.tiktok.com"

签发证书

openssl x509 -req -in server.csr -out server.crt -signkey server.key -days 3650

把默认的 443 配置改掉

server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
    server_name _;

    ssl_certificate /etc/nginx/sites-available/server.crt;
    ssl_certificate_key /etc/nginx/sites-available/server.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers on;
    ssl_early_data on;  

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;
    ssl_session_tickets off;

    return 301 https://www.tiktok.com;
}

检查 nginx 配置是不是正常

nginx -t

重启 nginx

systemctl reload nginx