Snippet on boboboker~

nginx配置参考

Tue, 23 Dec 2025 00:00:00 +0800

nginx配置文件位于/etc/nginx目录，其中核心配置是/etc/nginx/nginx.conf，一般默认加载/etc/nginx/sites-enabled/目录中的站点配置。

站点配置文件内容可参考以下内容。

# 站点配置: example.com

# 站点证书 example.com *.example.com
ssl_certificate     /path/to/cert/example.com/cert.pem;
ssl_certificate_key /path/to/cert/example.com/key.pem;

# 支持常规连接和WebSocket连接
map $http_connection $connection_upgrade {
  "~*Upgrade" $http_connection;
  default keep-alive;
}

# HTTP服务 重定向到HTTPS
server {
    listen 80;
    listen [::]:80;
    server_name example.com *.example.com;
    return 301 https://$server_name$request_uri;
}

# example.com 站点服务
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name example.com;

    # 默认跳转到博客站(也可以直接跳转)
    location / {
        #add_header Content-Type 'text/plain; charset=utf-8';
        #return 200 'maybe you are lost, please visit: https://blog.example.com ?';
        return 302 https://example.com/blog;
    }
    location /blog {
        return 301 https://blog.example.com;
    }

    # 反向代理内部业务(仅接口代理)
    location /service-name/ {
        proxy_http_version 1.1;
        proxy_set_header   Host $host;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
        # 配置方式与实际转发效果如下:
        # 带后缀`/`: https://exmaple.com/service-name/abc/def?g=123&h=456  -> http://127.0.0.1:12345/abc/def?g=123&h=456
        # 无后缀`/`: https://exmaple.com/service-name/abc/def?g=123&h=456  -> http://127.0.0.1:12345/service-name/abc/def?g=123&h=456
        proxy_pass         http://127.0.0.1:12345/;
    }
}

# ws.example.com 站点服务
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name ws.example.com;
    location / {
        add_header Content-Type 'text/plain; charset=utf-8';
        return 200 'hello, this is ws.example.com';
    }
    # 反向代理内部业务(接口+WebSocket)
    location /ws-path/ {
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection $connection_upgrade;
        proxy_set_header   Host $host;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
        proxy_pass         http://127.0.0.1:12345;
    }
}

# grpc.example.com 站点服务
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name grpc.example.com;
    location / {
        add_header Content-Type 'text/plain; charset=utf-8';
        return 200 'hello, this is grpc.example.com';
    }
    # 反向代理内部业务(gRPC)
    location /<grpc-service-name>/ {
        grpc_pass        grpc://127.0.0.1:12345;
    }
}

# blog.example.com 站点服务
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name blog.example.com;
    root /path/to/blog/root;
    location / {
        index index.html;
    }
}

# pxy.example.com 站点服务
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name pxy.example.com;
    location / {
        proxy_redirect off;
        proxy_ssl_server_name on;
        proxy_pass https://jmsnet;
    }
}

# *.example.com 站点服务
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name *.example.com;
    error_page 404 = /error;
    location / {
        add_header Content-Type 'text/plain; charset=utf-8';
        return 200 'hello, goodbye';
    }
    location /error {
        add_header Content-Type 'text/plain; charset=utf-8';
        return 404 'maybe you are lost';
    }
}

代理配置

Fri, 12 Dec 2025 00:00:00 +0800

数据链路

大致数据链路如下图所示，基本思路是客户端经两级跳转访问服务端。

  sequenceDiagram
    Client->>In: 1. 客户端请求代理入口
    In->>Out: 2. 代理入口请求代理出口
    Out->>Server: 3. 代理出口访问目标服务
    Server->>Out: 4. 目标服务回复代理出口
    Out->>In: 5. 代理出口回复代理入口
    In->>Client: 6. 代理入口回复客户端

具备以下特点：

完整链路信息只有客户端得知，客户端看起来只是在访问In
只有In知道在访问Out，也只知道在访问Out，不知道实际目标
服务端只知道请求来自Out，不知道客户端存在

客户端配置

参考文档: dialer-proxy

代理节点部分核心配置如下:

proxies:
  - name: in  # 代理入口，常规配置
    type: ...
  - name: out # 代理出口，需要声明代理入口
    dialer-proxy: in
    type: ...

rules:
  - MATCH,out # 此处选择`out`节点

代理组部分核心配置如下:

proxy-groups:
  - name: PROXY # 默认代理策略，可以SAFE优先，也可以原生优先，推荐保证可用
    type: select
    proxies:
      - PROXY-SAFE
      - RAW
  - name: PROXY-CHEAP # 低计费策略，优先低倍率节点，推荐保证可用
    type: select / url-test / fallback
    proxies:
      - <node-name>
      - RAW
  - name: PROXY-SAFE # 稳定出口策略，不推荐自动回落
    type: select
    proxies:
      - <node-name>
  - name: dialer-in # 代理入口组，推荐保证可用且整体低延迟
    type: select / url-test / fallback
    hidden: true # 可以隐藏
    proxies:
      - <node-name>
  - name: RAW # 原生节点组
    type: select
    proxies:
      - <node-name>

服务端配置

# 代理服务端，以直连模式运行
mode: direct
listeners:
  # 服务协议：VMess
  # 传输方式：WebSocket 
  - name: vmess-ws&grpc
    type: vmess
    # 仅允许本机(反向代理)访问
    listen: 127.0.0.1
    # 服务端口
    port: 10800
    users:
      - username: 1
        uuid: <uuid>
        alterId: 0
    # WebSocket路径
    ws-path: /<websocket-path>/
    # gRPC服务名称
    grpc-service-name: <grpc-server-name>

# SSL证书配置
ssl_certificate     /path/to/cert.pem;
ssl_certificate_key /path/to/cert.key;

map $http_connection $connection_upgrade {
  "~*Upgrade" $http_connection;
  default keep-alive;
}

server {
    # 监听443端口，启用SSL加密，启用HTTP2(以支持gRPC)
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    # 服务器名称
    server_name <server-name>;
    # 常规站点配置
    location / {
        add_header Content-Type 'text/plain; charset=utf-8';
        return 200 'hello, this is my site';
    }
    # 反向代理WebSocket
    location /<websocket-path>/ {
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection $connection_upgrade;
        proxy_set_header   Host $host;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
        proxy_pass         http://127.0.0.1:10800;
    }
    # 反向代理gRPC
    location /<grpc-server-name>/ {
        grpc_pass        grpc://127.0.0.1:10800;
    }
}

其他配置(客户端规则)

路由规则如下:

rules:
  # 拦截广告规则
  - RULE-SET,reject,REJECT
  # 直连私网、境内服务等
  - RULE-SET,private,DIRECT
  - RULE-SET,icloud,DIRECT
  - RULE-SET,apple,DIRECT
  - RULE-SET,direct,DIRECT
  - RULE-SET,lancidr,DIRECT
  - RULE-SET,cncidr,DIRECT
  - DOMAIN-SUFFIX,cn,DIRECT
  - DOMAIN-KEYWORD,-cn,DIRECT
  - GEOSITE,CN,DIRECT
  - GEOIP,LAN,DIRECT
  - GEOIP,CN,DIRECT
  # 本地共享、大流量传输优先低计费节点
  - RULE-SET,share,PROXY-CHEAP
  - RULE-SET,download,PROXY-CHEAP
  # 确保稳定出口的服务优先SAFE节点
  - RULE-SET,safe,PROXY-SAFE
  - RULE-SET,telegramcidr,PROXY-SAFE
  # 已知服务和无匹配默认代理访问
  - RULE-SET,gfw,PROXY
  - RULE-SET,proxy,PROXY
  - MATCH,PROXY

路由规则集合如下所示:
在线规则集合参考项目: Loyalsoldier/clash-rules

rule-providers:
  # 大流量传输规则组
  download:
    type: inline
    behavior: classical
    payload:
      # huggingface model
      - DOMAIN-REGEX,^cdn-lfs.*.hf.co
      # dockerhub image
      - DOMAIN,production.cloudflare.docker.com
      # github image
      - DOMAIN,ghcr.io
      - DOMAIN,pkg-containers.githubusercontent.com
      # github storage
      - DOMAIN,objects.githubusercontent.com
      - DOMAIN,release-assets.githubusercontent.com
      # cloudflare R2 storage
      - DOMAIN-SUFFIX,r2.cloudflarestorage.com
      # sourceforge
      - DOMAIN-SUFFIX,dl.sourceforge.net
      # google drive
      - DOMAIN,drive.usercontent.google.com
      # youtube video
      - DOMAIN-SUFFIX,googlevideo.com
  # 确保出口稳定规则组
  safe:
    type: inline
    behavior: classical
    payload:
      - DOMAIN-SUFFIX,chatgpt.com
      - DOMAIN-SUFFIX,docker.com
      - DOMAIN-SUFFIX,docker.io
      - DOMAIN-SUFFIX,openai.com
      - DOMAIN-SUFFIX,redd.it
      - DOMAIN-SUFFIX,reddit.com
      - DOMAIN-SUFFIX,twimage.com
      - DOMAIN-SUFFIX,twitter.com
      - DOMAIN-SUFFIX,x.com
      - DOMAIN-KEYWORD,amazon
      - DOMAIN-KEYWORD,github
      - DOMAIN-KEYWORD,gmail
      - DOMAIN-KEYWORD,google
      - DOMAIN-KEYWORD,openai
      - DOMAIN-KEYWORD,reddit
      - DOMAIN-KEYWORD,youtube
  share:
    type: inline
    behavior: classical
    payload:
      - SRC-IP-CIDR,192.168.0.0/16
      - SRC-IP-CIDR,172.16.0.0/12
  reject:
    type: http
    behavior: domain
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/reject.txt
    path: ./ruleset/reject.yaml
    interval: 86400
  icloud:
    type: http
    behavior: domain
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/icloud.txt
    path: ./ruleset/icloud.yaml
    interval: 86400
  apple:
    type: http
    behavior: domain
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/apple.txt
    path: ./ruleset/apple.yaml
    interval: 86400
  proxy:
    type: http
    behavior: domain
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/proxy.txt
    path: ./ruleset/proxy.yaml
    interval: 86400
  direct:
    type: http
    behavior: domain
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/direct.txt
    path: ./ruleset/direct.yaml
    interval: 86400
  private:
    type: http
    behavior: domain
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/private.txt
    path: ./ruleset/private.yaml
    interval: 86400
  gfw:
    type: http
    behavior: domain
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/gfw.txt
    path: ./ruleset/gfw.yaml
    interval: 86400
  tld-not-cn:
    type: http
    behavior: domain
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/tld-not-cn.txt
    path: ./ruleset/tld-not-cn.yaml
    interval: 86400
  telegramcidr:
    type: http
    behavior: ipcidr
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/telegramcidr.txt
    path: ./ruleset/telegramcidr.yaml
    interval: 86400
  cncidr:
    type: http
    behavior: ipcidr
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/cncidr.txt
    path: ./ruleset/cncidr.yaml
    interval: 86400
  lancidr:
    type: http
    behavior: ipcidr
    url: https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/lancidr.txt
    path: ./ruleset/lancidr.yaml
    interval: 86400

nftables网络配置

Wed, 10 Dec 2025 00:00:00 +0800

Debian某些版本默认的网络/防火墙规则管理组件，此处简要记录配置操作。

规则配置文件一般位于/etc/nftables.conf，样例如下：

#!/usr/sbin/nft -f

# 清空现有规则
flush ruleset

table inet filter {
    chain input {
        type filter hook input priority filter;
        # 允许本机连接
        iifname lo accept
        # 允许已建立和关联的入站连接
        ct state established,related accept
        # 允许ICMP协议请求入站，频率上限每秒一次
        ip protocol icmp limit rate 1/second accept
        # 允许指定端口入站
        tcp dport {22,80,443} accept
        # 允许指定协议入站
        tcp dport {ssh,http,https} accept
        # 丢弃其他入站
        drop
    }
    chain forward {
        type filter hook forward priority filter;
        # 丢弃转发流量
        drop
    }
    chain output {
        type filter hook output priority filter;
        # 放行出站连接
        accept
    }
}

证书颁发脚本

Thu, 21 Aug 2025 00:00:00 +0800

脚本应当在Bash环境中执行，且必须部署faketime、openssl命令行工具

脚本参数

CERT_HOST 颁发证书的目标地址/名称，支持多个值，空格分隔即可 localhost 127.0.0.1 ::1

STRATEGY 本机证书校验及颁发策略，对主机自身的地址及名称的处理原则，不涉及CERT_HOST变量(变量中指定的地址及名称保证进行校验及颁发)。策略支持以下类型：

BASIC: 验证当前证书对localhost/127.0.0.1颁发即可,若验证不通过,颁发localhost/127.0.0.1的证书(构建镜像时默认使用该配置)

NORMAL: 验证当前证书对localhost/127.0.0.1颁发即可,若验证不通过,颁发<hostname>/<hostip>/localhost/127.0.0.1的证书(启动时建议使用该配置)

STRICT: 验证当前证书对<hostname>/<hostip>/localhost/127.0.0.1颁发,若验证不通过,颁发<hostname>/<hostip>/localhost/127.0.0.1的证书

2025-12-15: 已颁发证书校验部分更新为openssl verify命令，支持泛域名，支持各种IPv6格式，修复基于文本匹配的校验不严谨问题

#!/bin/bash

## 不容忍错误(任何命令出错都退出脚本)
set -e

########################## [打印日志] ##########################
## 日志记录的模块名称
MODULE_NAME=cert-util
## ANSI字符颜色转义
RED='\033[1;31m'
GREEN='\033[1;32m'
YELLOW='\033[1;33m'
## 重置所有字符格式
RESET='\033[0m'

## 日志记录方法组
function log() {
    level=$1
    format=$2
    message=${@:3}
    time=$(date "+%F %T")
    echo -e "$format[$time][$MODULE_NAME] $level - $message$RESET"
}
function success()  { log "SUCCESS" $GREEN $*; }
function info()     { log "INFO   " $RESET $*; }
function warn()     { log "WARN   " $YELLOW $*; }
function error()    { log "ERROR  " $RED $*; }
#################################################################

if [[ -z "$STRATEGY" ]]; then
    warn "未设置证书颁发策略类型,指定为默认值[NORMAL]"
    STRATEGY=NORMAL
fi

case "$STRATEGY" in
"BASIC")
    info "证书颁发策略类型为[$STRATEGY],仅验证/颁发localhost/127.0.0.1"
    ;;
"NORMAL")
    info "证书颁发策略类型为[$STRATEGY],将验证localhost/127.0.0.1,颁发hostname/hostip/localhost/127.0.0.1"
    ;;
"STRICT")
    info "证书颁发策略类型为[$STRATEGY],将验证/颁发本机hostname/hostip/localhost/127.0.0.1"
    ;;
*)
    error "不支持的证书颁发策略类型[$STRATEGY],退出脚本"
    exit 1
    ;;
esac

## 脚本所在目录
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )

## 是否需要颁发证书
ISSUE_CERT=FALSE

## TODO: 在此处指定CA证书
CA_CERT_ROOT="$SCRIPT_DIR/ca-cert"
## 证书颁发机构(此处推荐使用Server CA, 信任链大致为: 根证书(Root CA) -> 服务器中间证书(Server CA) -> 服务器证书(待颁发))
CA_CRT="$CA_CERT_ROOT/???.crt"
CA_KEY="$CA_CERT_ROOT/???.key"
CA_KEY_PASS="$CA_CERT_ROOT/???.key.pass"

## 待颁发的证书
SERVER_CERT_ROOT="$SCRIPT_DIR/server-cert"
SERVER_CERT_CSR_CONF="$SERVER_CERT_ROOT/server.conf" # 证书颁发请求配置
SERVER_CERT_CSR="$SERVER_CERT_ROOT/server.csr"  # 证书颁发请求
SERVER_CERT_CRT="$SERVER_CERT_ROOT/server.crt"  # 证书(通常是PEM格式)
SERVER_CERT_KEY="$SERVER_CERT_ROOT/server.key"  # 证书私钥
SERVER_CERT_CHAIN="$SERVER_CERT_ROOT/fullchain.crt"  # 证书链(通常是PEM格式)
SERVER_CERT_P12="$SERVER_CERT_ROOT/server.p12"  # 证书(PKCS12格式)
SERVER_CERT_P12_PASS="$SERVER_CERT_ROOT/server.p12.pass"  # 证书密钥(仅适用于PKCS12格式)

SERVER_CERT_COMMON_NAME={$COMMON_NAME:-localhost}

## 校验现有证书有效性(是否对给定的名称/地址有效;是否处于有效期)
if [[ -f "$SERVER_CERT_CRT" ]]; then
    if [[ -n "$CERT_HOST" ]]; then
        info "已设置环境变量[CERT_HOST]=[$CERT_HOST],将逐个验证是否已颁发证书"
        for host in $CERT_HOST;
        do
            if [[ $host =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ || $host == *:* ]]; then
                # 简单的IPv4正则，将4组最长3位的数字视为IPv4地址
                # 包含冒号视为IPv6地址
                if openssl verify -verify_ip "$host" "$SERVER_CERT_CRT" > /dev/null 2>&1; then
                    success "[√]已颁发地址证书[$host]"
                else
                    error "[×]未颁发地址证书[$host]"
                    ISSUE_CERT=TRUE
                fi
            else
                # 其余的视为名称/域名
                if openssl verify -verify_hostname "$host" "$SERVER_CERT_CRT" > /dev/null 2>&1; then
                    success "[√]已颁发名称证书[$host]"
                else
                    error "[×]未颁发名称证书[$host]"
                    ISSUE_CERT=TRUE
                fi
            fi
        done
    else
        info "未设置环境变量[CERT_HOST],跳过证书颁发目标验证"
    fi
    ## 创建&启动容器时通常是随机主机名及地址，构建时基本不可能完整颁发主机证书，只能颁发出localhost/127.0.0.1
    info "验证本机名称/IP是否已颁发证书"
    if [[ "$STRATEGY" = "STRICT" ]]; then
        info "当前策略类型为[$STRATEGY],将验证本机hostname/hostip/localhost/127.0.0.1"
        LOCALHOST="$(hostname -f) localhost $(hostname -I) 127.0.0.1"
    else
        info "当前策略类型为[$STRATEGY],仅验证localhost/127.0.0.1"
        LOCALHOST="localhost 127.0.0.1"
    fi
    for host in $LOCALHOST;
    do
        if [[ $host =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ || $host == *:* ]]; then
            # 简单的IPv4正则，将4组最长3位的数字视为IPv4地址
            # 包含冒号视为IPv6地址
            if openssl verify -verify_ip "$host" "$SERVER_CERT_CRT" > /dev/null 2>&1; then
                success "[√]已颁发地址证书[$host]"
            else
                error "[×]未颁发地址证书[$host]"
                ISSUE_CERT=TRUE
            fi
        else
            # 其余的视为名称/域名
            if openssl verify -verify_hostname "$host" "$SERVER_CERT_CRT" > /dev/null 2>&1; then
                success "[√]已颁发名称证书[$host]"
            else
                error "[×]未颁发名称证书[$host]"
                ISSUE_CERT=TRUE
            fi
        fi
    done
    info "证书有效期范围[$(date -d "$(openssl x509 -in "$SERVER_CERT_CRT" -noout -startdate | cut -d= -f2)" +'%F %T'), $(date -d "$(openssl x509 -in "$SERVER_CERT_CRT" -noout -enddate | cut -d= -f2)" +'%F %T')]"
    START=$(date -d "$(openssl x509 -in "$SERVER_CERT_CRT" -noout -startdate | cut -d= -f2)" +%s)
    END=$(date -d "$(openssl x509 -in "$SERVER_CERT_CRT" -noout -enddate | cut -d= -f2)" +%s)
    NOW=$(date -u +%s)
    if [[ "$START" -le "$(date -u +%s)" && "$(date -d '+1 month' -u +%s)" -le "$END" ]]; then
        success "当前时间(及一个月内)都处于证书有效时间范围"
    else
        error "当前时间及一个月内将不在证书有效时间范围"
        ISSUE_CERT=TRUE
    fi
else
    warn "证书文件[$SERVER_CERT_CRT]不存在,将颁发证书"
    ISSUE_CERT=TRUE
fi

if [[ $ISSUE_CERT = "FALSE" ]]; then
    success "默认证书可用,无需重新颁发"
    exit 0
fi

if [[ -d "$SERVER_CERT_ROOT" ]]; then
    SERVER_CERT_ROOT_BAK="${SERVER_CERT_ROOT%/}-bak-$(date +%Y%m%d%H%M%S)"
    warn "重新颁发证书,现有证书[$SERVER_CERT_ROOT]将备份为[$SERVER_CERT_ROOT_BAK]"
    mv "$SERVER_CERT_ROOT" "$SERVER_CERT_ROOT_BAK"
fi

info "证书相关文件将保存到[$SERVER_CERT_ROOT]目录"
mkdir -p "$SERVER_CERT_ROOT"

## 明确指定证书有效期需要ca相关配置,比较麻烦,因此下面用faketime做了简易版实现
## 证书有效期：本月第一天凌晨开始，十年内有效
# CERT_START=$(date +"%Y%m01000000Z")
# CERT_END=$(date -d "$(date +%Y-%m-01) +10 years" +"%Y%m%d235959Z")

## 快捷颁发证书(仅对CN(Common Name)颁发证书,无法颁发SAN(Subject Alt Name,多个IP及域名),目前浏览器优先验证SAN,CN作为fallback)
# SUBJECT="/C=CN/ST=Shandong/L=Qingdao/O=Shandong R&D Center/CN=host.domain"
# openssl req -new -nodes -newkey rsa:2048 -keyout "$SERVER_CERT_KEY" -out "$SERVER_CERT_CSR" -subj "$SUBJECT"
# openssl x509 -req -in "$SERVER_CERT_CSR" -out "$SERVER_CERT_CRT" -outform PEM -CA "$CA_CRT" -CAkey "$CA_KEY" -passin "file:$CA_KEY_PASS" -CAcreateserial -days 3650 -sha256
## 生成配置文件,用于生成CSR(证书颁发请求文件)
## 注: 文件内容没有缩进是特意的，避免程序读取出现问题，也避免用sed消除行前空白(最后的EOF前不允许有空白，否则后续命令也被视为文本内容)
cat <<EOF > "$SERVER_CERT_CSR_CONF"
[req]
default_bits = 2048
default_md = sha256
encrypt_key = no
prompt = no
distinguished_name = dn
req_extensions = v3_req

[dn]
C = CN
ST = Shandong
L = Qingdao
O = Shandong R&D Center
OU = Qingdao R&D Center
CN = $SERVER_CERT_COMMON_NAME

[v3_req]
keyUsage = critical, digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
# DNS.1 = localhost
# IP.1 = 127.0.0.1
# IP.2 = ::1
EOF

if [[ -n "$CERT_HOST" ]]; then
    info "已设置变量[CERT_HOST]=[$CERT_HOST],将颁发证书(配置为CSR中的SAN)"
else
    CERT_HOST=""
    warn "未设置变量[CERT_HOST],将仅为默认名称/IP颁发证书"
fi
if [[ "$STRATEGY" = "BASIC" ]]; then
    info "当前策略类型为[$STRATEGY],仅为默认本机名称/IP(localhost/127.0.0.1/::1)颁发证书"
    HOSTS="localhost 127.0.0.1 ::1 $CERT_HOST"
else
    info "当前策略类型为[$STRATEGY],将为本机名称/IP(<hostname>/<host-ip>/localhost/127.0.0.1/::1)颁发证书"
    HOSTS="$(hostname -f) localhost $(hostname -I) 127.0.0.1 ::1 $CERT_HOST"
fi

HOSTS=$(echo "$HOSTS" | xargs | tr " " "\n" | sort -u | tr "\n" " ")
info "待颁发证书的名称/IP(去重+排序): $HOSTS"
NAMES=""
IPS=""
info "基于简易规则快速判断目标类型(IPv4/IPv6/Name)"
for host in $HOSTS;
do
    if [[ $host =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]]; then
        # 简单的IPv4正则，将4组最长3位的数字视为IPv4地址
        info " >> IPv4: $host"
        IPS="$host $IPS"
    elif [[ $host == *:* ]]; then
        # 包含冒号视为IPv6地址
        info " >> IPv6: $host"
        IPS="$host $IPS"
    else
        # 其余的视为名称/域名
        info " >> Name: $host"
        NAMES="$host $NAMES"
    fi
done

info "将为以下名称颁发证书(配置为CSR中的SAN): $NAMES"
i=1
for name in $NAMES;
do
    info "DNS.$i = $name >> $SERVER_CERT_CSR_CONF"
    echo "DNS.$i = $name" >> "$SERVER_CERT_CSR_CONF"
    i=$((i+1))
done

info "将为以下IP颁发证书(配置为CSR中的SAN): $IPS"
i=1
for ip in $IPS;
do
    info "IP.$i = $ip >> $SERVER_CERT_CSR_CONF"
    echo "IP.$i = $ip" >> "$SERVER_CERT_CSR_CONF"
    i=$((i+1))
done

info "生成CSR(证书颁发请求)"
openssl req -new -config "$SERVER_CERT_CSR_CONF" -keyout "$SERVER_CERT_KEY" -out "$SERVER_CERT_CSR"

if command -v faketime > /dev/null 2>&1; then
    if [[ "$(date +%d)" = "01" ]]; then
        CERT_START="$(date -d '-1 month' +%Y-%m-01) 00:00:00"
        warn "当前日期是[$(date +%Y-%m-%d)],为避免时区问题导致证书无效,生效开始时间设为上个月[$(date -d '-1 month' +%Y-%m-%d)]"
    else
        CERT_START="$(date +%Y-%m-01) 00:00:00"
    fi
    info "颁发证书，自[$CERT_START(UTC)]起生效，有效期十年(用faketime控制有效期,启用X509v3扩展以支持SAN)"
    TZ=UTC faketime "$CERT_START" openssl x509 -req -in "$SERVER_CERT_CSR" -extfile "$SERVER_CERT_CSR_CONF" -extensions "v3_req" -out "$SERVER_CERT_CRT" -outform PEM -CA "$CA_CRT" -CAkey "$CA_KEY" -passin "file:$CA_KEY_PASS" -CAcreateserial -days 3650 -sha256
else
    info "颁发证书，立即生效，有效期十年(启用X509v3扩展以支持SAN)"
    openssl x509 -req -in "$SERVER_CERT_CSR" -extfile "$SERVER_CERT_CSR_CONF" -extensions "v3_req" -out "$SERVER_CERT_CRT" -outform PEM -CA "$CA_CRT" -CAkey "$CA_KEY" -passin "file:$CA_KEY_PASS" -CAcreateserial -days 3650 -sha256
fi

success "证书颁发完成,证书信息如下:"
openssl x509 -in "$SERVER_CERT_CRT" -noout -text

info "生成证书链"
cat "$SERVER_CERT_CRT" "$CA_CRT" > "$SERVER_CERT_CHAIN"

info "生成证书密钥(PKCS12)"
cat /proc/sys/kernel/random/uuid > $SERVER_CERT_P12_PASS
info "生成证书(PKCS12)"
openssl pkcs12 -export -in "$SERVER_CERT_CHAIN" -inkey "$SERVER_CERT_KEY" -out "$SERVER_CERT_P12" -name "$SERVER_CERT_COMMON_NAME" -password "file:$SERVER_CERT_P12_PASS"

success "证书(PEM): $SERVER_CERT_CRT"
success "私钥: $SERVER_CERT_KEY"
success "证书链(PEM): $SERVER_CERT_CHAIN"

Markdown语法记录

Mon, 12 May 2025 00:00:00 +0800

Markdown语法记录

常规内容语法此处不再详细介绍，仅记录偶尔需要查阅语法的内容类型。

参考链接

硬换行

文档: CommonMark Spec - 6.7 Hard line breaks

连续的多行内容若不加特殊处理总是会渲染成没有换行的整个段落，手动换行可以通过插入空行、行尾空格(两个及以上)、反斜杠(\)来实现。

删除线

文档: GitHub Flavored Markdown Spec - 6.5 Strikethrough (extension)
该功能由strikethrough扩展支持，但一般默认启用。

一对~~包裹的连续内容会用删除线格式化。

~~删除线~~ -> ~~删除线~~

任务列表

文档: GitHub Flavored Markdown Spec - 5.3 Task list items (extension)
该功能由tasklist扩展支持，但一般默认启用。

1
2

+ [ ] 任务一
+ [x] 任务二

任务一
任务二

diff code block

该语法是用于展示代码增删情况，开启该功能一般不需要特殊配置。

代码块语言类型需声明为diff，在删除的行前加-，在新增的行前加+。

```diff
[dependencies.bevy]
git = "https://github.com/bevyengine/bevy"
rev = "11f52b8c72fc3a568e8bb4a4cd1f3eb025ac2e13"
- features = ["dynamic"]
+ features = ["jpeg", "dynamic"]
```

[dependencies.bevy]
git = "https://github.com/bevyengine/bevy"
rev = "11f52b8c72fc3a568e8bb4a4cd1f3eb025ac2e13"
- features = ["dynamic"]
+ features = ["jpeg", "dynamic"]

GitHub Alerts

文档: Basic writing and formatting syntax - Alerts

> [!NOTE]
> Useful information that users should know, even when skimming content.

> [!TIP]
> Helpful advice for doing things better or more easily.

> [!IMPORTANT]
> Key information users need to know to achieve their goal.

> [!WARNING]
> Urgent info that needs immediate user attention to avoid problems.

> [!CAUTION]
> Advises about risks or negative outcomes of certain actions.

GitLab Alerts

文档: GitLab Flavored Markdown (GLFM) - Alerts
GitLab >= 17.10

> [!note]
> The following information is useful.

> [!tip]
> Tip of the day.

> [!important]
> This is something important you should know.

> [!warning]
> The following would be dangerous.

> [!caution]
> You need to be very careful about the following.

此外还支持设定标题。

1
2

> [!warning] Data deletion
> The following instructions will make your data unrecoverable.

也支持GitLab段落语法

>>> [!note] Things to consider
You should consider the following ramifications:

1. consideration 1
1. consideration 2
>>>

图表

Mermaid提供支持，文档: Diagram Syntax
语法随版本升级变动频繁，需要确认平台集成的版本情况。

1
2
3

```mermaid
info
```

iptables修改数据包源地址

Fri, 25 Apr 2025 00:00:00 +0800

假定客户端1.2.3.4访问服务5.6.7.8:5678，标记端口1234

客户端规则

数据包修改

1
2

# 将访问{DST_IP}:{DST_PORT}的数据包中目的端口修改为{MARK_PORT}
iptables -t nat -A OUTPUT -d {DST_IP} -p tcp --dport {DST_PORT} -j DNAT --to-destination :{MARK_PORT}

1
2
3

## 示例
# 将访问5.6.7.8:5678的数据包中目的端口修改为1234
iptables -t nat -A OUTPUT -d 5.6.7.8 -p tcp --dport 5678 -j DNAT --to-destination :1234

路由跳转

将访问{DST_IP}的数据强制路由到动态代理服务(去进行后续的修改转发)

# 查看当前路由规则
route -n
# 获取默认网卡名称
ip -4 -o addr show | grep {HOST_IP} | awk '{print $2}' | head -n1
# 将访问特定IP的请求路由到动态代理服务(可以通过掩码修改为按段路由)
route add -net {DST_IP} netmask 255.255.255.255 gw {DPS_IP} {NET_NAME}
# 删除路由规则
route del -net {DST_IP} netmask 255.255.255.255 gw {DPS_IP} {NET_NAME}

服务端规则

启用规则

# 将访问{DST_IP}:{MARK_PORT}的数据包打上标记{MARK_PORT}
iptables -t mangle -A PREROUTING -p tcp -d {DST_IP} --dport {MARK_PORT} -j MARK --set-mark {MARK_PORT}
# 将被标记{MARK_PORT}的数据包转到实际目标端口{DST_PORT}
iptables -t nat -A PREROUTING -m mark --mark {MARK_PORT} -p tcp -j DNAT --to-destination :{DST_PORT}
# 将被标记{MARK_PORT}的数据包中的源IP修改为{SRC_IP}
iptables -t nat -A POSTROUTING -m mark --mark {MARK_PORT} -j SNAT --to-source {SRC_IP}

假定客户端1.2.3.4访问服务5.6.7.8:5678，标记端口1234

## 示例
# 将访问5.6.7.8:1234的数据包打上标记1234
iptables -t mangle -A PREROUTING -p tcp -d 5.6.7.8 --dport 1234 -j MARK --set-mark 1234
# 将被标记1234的数据包转到实际目标端口5678
iptables -t nat -A PREROUTING -m mark --mark 1234 -p tcp -j DNAT --to-destination :5678
# 将被标记1234的数据包中的源IP修改为1.2.3.4
iptables -t nat -A POSTROUTING -m mark --mark 1234 -j SNAT --to-source 1.2.3.4

撤销规则

与启用规则的区别是参数-A/--append修改为-D/--delete

1
2
3

iptables -t mangle -D PREROUTING -p tcp -d {DST_IP} --dport {MARK_PORT} -j MARK --set-mark {MARK_PORT}
iptables -t nat -D PREROUTING -m mark --mark {MARK_PORT} -p tcp -j DNAT --to-destination :{DST_PORT}
iptables -t nat -D POSTROUTING -m mark --mark {MARK_PORT} -j SNAT --to-source {SRC_IP}

查看规则

参数-S/--list-rules相对于-L/--list的输出更稳定且更适合程序处理

# 查看`mangle`表`PREROUTING`链中的规则
iptables -t mangle -S PREROUTING
# 查看`nat`表`PREROUTING`链中的规则
iptables -t nat -S PREROUTING
# 查看`nat`表`POSTROUTING`链中的规则
iptables -t nat -S POSTROUTING

输出如下

还包含其他规则、程序处理时必须严格过滤

iptables -V

iptables v1.8.7 (nf_tables)

###

iptables -t mangle -S PREROUTING

-P PREROUTING ACCEPT
-A PREROUTING -d 5.6.7.8/32 -p tcp -m tcp --dport 1234 -j MARK --set-xmark 0x4d2/0xffffffff

###

iptables -t nat -S PREROUTING

-P PREROUTING ACCEPT
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A PREROUTING -p tcp -m mark --mark 0x4d2 -j DNAT --to-destination :5678

###

iptables -t nat -S POSTROUTING

-P POSTROUTING ACCEPT
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.19.0.0/16 ! -o br-a053f76f3ead -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-51b383a5369c -j MASQUERADE
-A POSTROUTING -j LIBVIRT_PRT
-A POSTROUTING -m mark --mark 0x4d2 -j SNAT --to-source 1.2.3.4

# 查看`mangle`表`PREROUTING`链中的规则
iptables -t mangle -L PREROUTING
# 查看`nat`表`PREROUTING`链中的规则
iptables -t nat -L PREROUTING
# 查看`nat`表`POSTROUTING`链中的规则
iptables -t nat -L POSTROUTING

清空规则

清空操作也会把其他应用的规则给删掉(例如Docker)，强烈不推荐

# 清空`mangle`表`PREROUTING`链中的规则
iptables -t mangle -F PREROUTING
# 清空`nat`表`PREROUTING`链中的规则
iptables -t nat -F PREROUTING
# 清空`nat`表`POSTROUTING`链中的规则
iptables -t nat -F POSTROUTING

其他

1
2

# 查看iptables规则及过滤命令
iptables -t mangle -L PREROUTING --line-numbers | grep -E '^[[:digit:]]+[[:blank:]]+MARK'

  ---
title: 数据链路图示
---
%%{init: {"flowchart": {"htmlLabels": false}} }%%
flowchart TB
    subgraph 客户端链路
        direction TB
        subgraph 容器内链路
        direction TB
            A(浏览器)
            A-->|**容器IP->目标IP:目标端口**|B
            subgraph 容器的iptables修改请求端口
            direction RL
                B(容器的iptables)
                c1(将请求目标修改为
                目标IP:标记端口)
                c1@{shape: comment}
            end
        end
        subgraph 容器主机的iptables路由请求
            C(容器主机的iptables)
            c2(将访问目标IP的请求
            路由到代理服务器)
            c2@{shape: comment}
            B-->|**容器IP->目标IP:标记端口**|C
        end
    end

    subgraph 代理服务器的iptables修改请求
        D(代理服务器的iptables)
        c3(代理服务器修改请求:
        1. 将访问目标IP:标记端口的数据包打上特定的唯一标记
        2. 将标记的数据包请求目标修改为目标IP:目标端口
        3. 将标记的数据包请求源IP修改为用户主机IP
        至此，原始请求源IP被修改为用户IP，隐藏容器的存在)
        c3@{shape: comment}
        C-->|**容器IP->目标IP:标记端口**|D
    end

    subgraph 目标服务器
        E(目标服务)
        D-->|**用户IP->目标IP:目标端口**|E
    end