饭团

Nginx反向代理

4 min read Page Views

非常简略的nginx反代流程,非常好用

简单的nginx配置提供certbot的验证 

sudo nano /etc/nginx/conf.d/banfanbuse.xyz.conf
server {
    listen 80;
    listen [::]:80;
    server_name banfanbuse.xyz www.banfanbuse.xyz;

    # Certbot will temporarily use this location block for verification
    # during the certificate issuance process.

    # You can remove the proxy_pass for now, or leave it, 
    # but a simple block is often best for initial setup:
    location / {
        # This can be empty or point to a default page until Certbot runs
    }
}

使用certbot + Let’s encrypt 

sudo certbot --nginx -d banfanbuse.xyz -d www.banfanbuse.xyz

如果成功的话

-1% 2025-12-07 04:19:17 ⌚  Ubuntu-Workspace in ~/hugo/banfanbuse.xyz
± |main U:5 ?:2 ✗| → sudo certbot --nginx -d banfanbuse.xyz -d www.banfanbuse.xyz
[sudo] password for flkstone: 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for banfanbuse.xyz and www.banfanbuse.xyz

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/banfanbuse.xyz/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/banfanbuse.xyz/privkey.pem
This certificate expires on 2026-03-07.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for banfanbuse.xyz to /etc/nginx/conf.d/banfanbuse.xyz.conf
Successfully deployed certificate for www.banfanbuse.xyz to /etc/nginx/conf.d/banfanbuse.xyz.conf
Congratulations! You have successfully enabled HTTPS on https://banfanbuse.xyz and https://www.banfanbuse.xyz

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

certbot会自动修改nginx配置

server {
    server_name banfanbuse.xyz www.banfanbuse.xyz;

    # Certbot will temporarily use this location block for verification
    # during the certificate issuance process.

    # You can remove the proxy_pass for now, or leave it, 
    # but a simple block is often best for initial setup:

    location / {
        # This can be empty or point to a default page until Certbot runs
    }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/banfanbuse.xyz/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/banfanbuse.xyz/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbo
}

server {

    if ($host = www.banfanbuse.xyz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = banfanbuse.xyz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    listen [::]:80;
    server_name banfanbuse.xyz www.banfanbuse.xyz;
    return 404; # managed by Certbot
}

修改nginx配置 

sudo nano /etc/nginx/conf.d/banfanbuse.xyz.conf 
server {
    server_name banfanbuse.xyz www.banfanbuse.xyz;

    # --- HTTPS Configuration (Managed by Certbot) ---
    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/banfanbuse.xyz/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/banfanbuse.xyz/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    # --- REVERSE PROXY CONFIGURATION ADDED HERE ---
    location / {
        # Forward traffic to the backend application running on 127.0.0.1:1313
        proxy_pass http://127.0.0.1:1313; 

        # Forward headers required for a robust proxy setup
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        proxy_http_version 1.1;
    }
}

server {
    # --- HTTP to HTTPS REDIRECT (Managed by Certbot) ---

    if ($host = www.banfanbuse.xyz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = banfanbuse.xyz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    listen [::]:80;
    server_name banfanbuse.xyz www.banfanbuse.xyz;
    
    # Certbot added this 404. Change it to redirect all remaining HTTP traffic.
    return 301 https://$host$request_uri; 
}

最后可以加上cf代理, 关于cf代理需要注意的是cf只会转发一些端口的流量:

Network ports compatible with Cloudflare's proxy
By default, Cloudflare proxies traffic destined for the HTTP/HTTPS ports listed below.

HTTP ports supported by Cloudflare
80
8080
8880
2052
2082
2086
2095
HTTPS ports supported by Cloudflare
443
2053
2083
2087
2096
8443
Ports supported by Cloudflare, but with caching disabled
2052
2053
2082
2083
2086
2087
2095
2096
8880
8443

需要注意的是,如果不是所支持的端口如果开启proxy会导致访问问题。

Last updated on 2025-12-07