Skip to content

Instantly share code, notes, and snippets.

@flxxyz
Last active June 19, 2023 10:48
Show Gist options
  • Save flxxyz/b338666ba7e8cd040b78e667976bf34a to your computer and use it in GitHub Desktop.
Save flxxyz/b338666ba7e8cd040b78e667976bf34a to your computer and use it in GitHub Desktop.
mirror.flxxyz.com nginx反代配置(gist.github.com & open.douyucdn.cn & raw.githubusercontent.com & gist.githubusercontent.com)
<!DOCTYPE html>
<html>
<head>
<meta name="content-type" content="text/html;charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0, viewport-fit=cover" />
<title>hello mirror</title>
</head>
<body>
<h1>Hello Mirror</h1>
<h2>Support Server</h2>
<ul>
<li><a href="/douyu/api/RoomApi/room/452628" rel="nofollow">mirror.flxxyz.com/douyu/&lt;replace_path&gt;</a>&nbsp;&nbsp;example: open.douyucdn.cn/&lt;replace_path&gt;</li>
<li><a href="/githubraw/golang/go/master/README.md" rel="nofollow">mirror.flxxyz.com/githubraw/&lt;replace_path&gt;</a>&nbsp;&nbsp;exmaple: raw.githubusercontent.com/&lt;replace_path&gt;</li>
<li><a href="/githubassets/apple-touch-icon-144x144.png" rel="nofollow">mirror.flxxyz.com/githubassets/&lt;replace_path&gt;</a>&nbsp;&nbsp;exmaple: github.githubassets.com/&lt;replace_path&gt;</li>
<li><a href="/gist/flxxyz" rel="nofollow">mirror.flxxyz.com/gist/&lt;replace_path&gt;</a>&nbsp;&nbsp;exmaple: gist.github.com/&lt;replace_path&gt;</li>
<li><a href="/gistraw/flxxyz/b7ec986055f06269960c1bdf7af66bec/raw/ce7a4ab952d67a13f8bd7c35ede4dfebb9219b9b/CheckIPvNSupport.go" rel="nofollow">mirror.flxxyz.com/gistraw/&lt;replace_path&gt;</a>&nbsp;&nbsp;exmaple: gist.githubusercontent.com/&lt;replace_path&gt;</li>
</ul>
<p>power by <a href="https://github.com/flxxyz">flxxyz</a>.</p>
</body>
</html>
upstream raw-github {
server raw.githubusercontent.com:443;
keepalive 32;
}
upstream raw-gist-github {
server gist.githubusercontent.com:443;
keepalive 32;
}
upstream assets-github {
server github.githubassets.com:443;
keepalive 32;
}
upstream open-douyu {
server open.douyucdn.cn:443;
keepalive 32;
}
server {
listen [::]:80;
listen 80;
server_name mirror.flxxyz.com;
return 301 https://$host$request_uri;
}
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name mirror.flxxyz.com;
index index.html;
root /www/wwwroot/mirror_flxxyz_com;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /home/someone/.acme.sh/mirror.flxxyz.com/fullchain.cer;
ssl_certificate /home/someone/.acme.sh/mirror.flxxyz.com/fullchain.cer;
ssl_certificate_key /home/someone/.acme.sh/mirror.flxxyz.com/mirror.flxxyz.com.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_early_data on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
error_page 497 https://$host$request_uri;
location ^~ /githubraw/ {
if ($invalid_referer){
return 403;
}
proxy_hide_header content-security-policy;
proxy_hide_header strict-transport-security;
proxy_hide_header set-cookie;
proxy_hide_header x-pjax-url;
proxy_buffering off;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_set_header Early-Data $ssl_early_data;
proxy_set_header User-Agent $http_user_agent;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host raw.githubusercontent.com;
proxy_cache_valid 200 302 1h;
proxy_cache_valid 404 1m;
proxy_cache_use_stale error timeout invalid_header updating
http_500 http_502 http_503 http_504;
proxy_http_version 1.1;
proxy_connect_timeout 30s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
proxy_redirect off;
client_max_body_size 20m;
proxy_pass https://raw-github/;
}
location ^~ /gist/ {
proxy_hide_header referrer-policy;
proxy_hide_header content-security-policy;
proxy_hide_header strict-transport-security;
proxy_hide_header set-cookie;
proxy_set_header Early-Data $ssl_early_data;
proxy_set_header User-Agent $http_user_agent;
proxy_set_header Accept-Encoding "";
proxy_cache_valid 200 302 1h;
proxy_cache_valid 404 1m;
proxy_cache_use_stale error timeout invalid_header updating
http_500 http_502 http_503 http_504;
proxy_redirect '//gist.github.com/' '//mirror.flxxyz.com/gist/';
proxy_redirect '//gist.githubusercontent.com/' '//mirror.flxxyz.com/gistraw/';
sub_filter '="/' '="https://mirror.flxxyz.com/gist/';
sub_filter '//gist.github.com/' '//mirror.flxxyz.com/gist/';
sub_filter '//github.githubassets.com/' '//mirror.flxxyz.com/githubassets/';
sub_filter_once off;
sub_filter_last_modified on;
sub_filter_types *;
proxy_http_version 1.1;
proxy_connect_timeout 30s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
client_max_body_size 5m;
proxy_pass https://gist.github.com/;
}
location ^~ /gistraw/ {
if ($invalid_referer){
return 403;
}
proxy_hide_header content-security-policy;
proxy_hide_header strict-transport-security;
proxy_hide_header set-cookie;
proxy_hide_header x-pjax-url;
proxy_buffering off;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_set_header Early-Data $ssl_early_data;
proxy_set_header User-Agent $http_user_agent;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host gist.githubusercontent.com;
proxy_cache_valid 200 302 1h;
proxy_cache_valid 404 1m;
proxy_cache_use_stale error timeout invalid_header updating
http_500 http_502 http_503 http_504;
proxy_http_version 1.1;
proxy_connect_timeout 30s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
proxy_redirect off;
client_max_body_size 20m;
proxy_pass https://raw-gist-github/;
}
location ^~ /githubassets/ {
proxy_hide_header content-security-policy;
proxy_hide_header strict-transport-security;
proxy_buffering off;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_set_header Early-Data $ssl_early_data;
proxy_set_header User-Agent $http_user_agent;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host github.githubassets.com;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_ignore_headers set-cookie cache-control expires;
proxy_cache_key $host$uri$is_args$args;
proxy_cache_valid 200 304 301 302 480m;
proxy_cache_valid 404 1m;
expires 12h;
client_max_body_size 5m;
proxy_pass https://assets-github/;
}
location ^~ /douyu/ {
proxy_buffering off;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_set_header Early-Data $ssl_early_data;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host open.douyucdn.cn;
proxy_cache_valid 200 302 1h;
proxy_cache_valid 404 1m;
proxy_cache_use_stale error timeout invalid_header updating
http_500 http_502 http_503 http_504;
proxy_http_version 1.1;
proxy_connect_timeout 30s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
proxy_redirect off;
client_max_body_size 5m;
proxy_pass https://open-douyu/;
}
location ~ \.well-known {
allow all;
}
location /robots.txt {
allow all;
}
# Block search engine
if ($http_user_agent ~* "qihoobot|Baiduspider|Bingbot|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot") {
return 403;
}
access_log /www/wwwlogs/mirror_flxxyz_com.log;
error_log /www/wwwlogs/mirror_flxxyz_com.error.log;
}
@flxxyz
Copy link
Author

flxxyz commented Nov 30, 2022

简单的证书申请

# 下载 acme.sh
curl https://get.acme.sh | sh -s email=可访问的邮箱地址

开始申请证书

通过网站验证

acme.sh --issue -d 填上申请的域名 --webroot /path/to/网站的绝对根目录

通过 dns 申请

直接将 cloudflare 弄到的 apikey 放在里面

vim ~/.acme.sh/account.conf

填这几个变量就行

SAVED_CF_Key='1649d5f0000000000005ded4434e4'
SAVED_CF_Email='登录的邮箱'
USER_PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'

开始申请

acme.sh --issue --dns dns_cf -d 填上申请的域名 --log

@flxxyz
Copy link
Author

flxxyz commented May 9, 2023

简单的 openssl 自签证书

生成证书密钥

openssl genrsa -out server.key 4096

生成证书请求

openssl req -new -key server.key -out server.csr \
  -subj "/C=US/ST=Washington/L=Washington/CN=tiktok.com/subjectAltName=*.tiktok.com"

签发证书

openssl x509 -req -in server.csr -out server.crt -signkey server.key -days 3650

把默认的 443 配置改掉

server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
    server_name _;

    ssl_certificate /etc/nginx/sites-available/server.crt;
    ssl_certificate_key /etc/nginx/sites-available/server.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers on;
    ssl_early_data on;  

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;
    ssl_session_tickets off;

    return 301 https://www.tiktok.com;
}

检查 nginx 配置是不是正常

nginx -t

重启 nginx

systemctl reload nginx

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment