为了防止滥用,先生成认证文件:
#生成密码文件,添加用户名 sudo sh -c "echo -n 'sammy:' >> /usr/local/nginx/conf/.htpasswd" #为此用户设置密码 sudo sh -c "openssl passwd -apr1 >> /usr/local/nginx/conf/.htpasswd"
1. 通过境外 VPS 反代:
nginx 关键代码:
location / { # 开启认证防止滥用 auth_basic "Once A Thief"; auth_basic_user_file /usr/local/nginx/conf/.htpasswd; proxy_pass http://www.t66y.com; proxy_set_header Host www.t66y.com; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header REMOTE-HOST $remote_addr; add_header X-Cache $upstream_cache_status; proxy_set_header Accept-Encoding ""; proxy_ssl_name www.t66y.com; proxy_ssl_server_name on; sub_filter "www.t66y.com" "usite.domain.com"; sub_filter_once off; expires 12h; } location ~ .*.(php|jsp|cgi|asp|aspx|flv|swf|xml)?$ { auth_basic "Once A Thief"; auth_basic_user_file /usr/local/nginx/conf/.htpasswd; proxy_pass http://www.t66y.com; proxy_set_header Host www.t66y.com; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header REMOTE-HOST $remote_addr; proxy_set_header Accept-Encoding ""; sub_filter "www.t66y.com" "usite.domain.com"; sub_filter_once off; } location ~ .*.(html|htm|png|gif|jpeg|jpg|bmp|js|css)?$ { auth_basic "Once A Thief"; auth_basic_user_file /usr/local/nginx/conf/.htpasswd; proxy_pass http://www.t66y.com; proxy_set_header Host www.t66y.com; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header REMOTE-HOST $remote_addr; proxy_set_header Accept-Encoding ""; sub_filter "www.t66y.com" "usite.domain.com"; sub_filter_once off; expires 24h; }
2. 通过境内 VPS 反代:
nginx 关键代码:
location / { # turn on auth for this location auth_basic "Once A Thief"; auth_basic_user_file /usr/local/nginx/conf/.htpasswd; proxy_pass https://127.0.0.1:1024; proxy_set_header Host www.t66y.com; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header REMOTE-HOST $remote_addr; add_header X-Cache $upstream_cache_status; proxy_set_header Accept-Encoding ""; proxy_ssl_name www.t66y.com; proxy_ssl_server_name on; sub_filter "www.t66y.com" "usite.domain.com"; sub_filter_once off; expires 12h; }
需要准备一个可以出去的 socks5 代理,v2ray,ss,trojan 随便你用什么,假设监听在本地的 1080 端口;
安装 socat:
apt install socat
测试时可用命令行:
socat -d -d TCP4-LISTEN:1024,bind=127.0.0.1,reuseaddr,fork PROXY:127.0.0.1:t66y.com:443,proxyport=1080
正式工作的 systemd service 文件:
[Unit] Description=socat After=network.target [Service] Restart=on-failure RestartSec=5s ExecStart=/usr/bin/socat TCP4-LISTEN:1024,bind=127.0.0.1,reuseaddr,fork PROXY:127.0.0.1:t66y.com:443,proxyport=1080 [Install] WantedBy=multi-user.target
参考:
https://stackoverflow.com/questions/46803431/nginx-proxy-pass-over-https-proxy
https://gist.github.com/miyouzi/3e3d57cde402b829aeb1d865b14eaa1a
2022-10-10 更新:
location / { auth_basic "Once A Thief"; auth_basic_user_file /usr/local/nginx/conf/.htpasswd; proxy_ssl_name www.t66y.com; proxy_ssl_server_name on; gzip on; gzip_min_length 1k; gzip_buffers 4 16k; gzip_comp_level 5; gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png; gzip_vary off; proxy_redirect off; proxy_set_header Host www.t66y.com; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass https://www.t66y.com; proxy_set_header Accept-Encoding ""; sub_filter 'www.t66y.com' 'cl.249749.xyz'; sub_filter_types text/xml; sub_filter_once off; }