quakemachineX

为了防止滥用，先生成认证文件：

#生成密码文件，添加用户名
sudo sh -c "echo -n 'sammy:' >> /usr/local/nginx/conf/.htpasswd"
#为此用户设置密码
sudo sh -c "openssl passwd -apr1 >> /usr/local/nginx/conf/.htpasswd"

1. 通过境外 VPS 反代：

nginx 关键代码：

location /
{
#	开启认证防止滥用
	auth_basic "Once A Thief";
	auth_basic_user_file /usr/local/nginx/conf/.htpasswd;

	proxy_pass http://www.t66y.com;
	proxy_set_header Host www.t66y.com;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header REMOTE-HOST $remote_addr;

	add_header X-Cache $upstream_cache_status;
	proxy_set_header Accept-Encoding "";
	proxy_ssl_name www.t66y.com;
	proxy_ssl_server_name on;
	sub_filter "www.t66y.com" "usite.domain.com";
	sub_filter_once off;
	expires 12h;
}

location ~ .*.(php|jsp|cgi|asp|aspx|flv|swf|xml)?$
{
	auth_basic "Once A Thief";
	auth_basic_user_file /usr/local/nginx/conf/.htpasswd;
	proxy_pass http://www.t66y.com;
	proxy_set_header Host www.t66y.com;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header REMOTE-HOST $remote_addr;
	proxy_set_header Accept-Encoding "";
	sub_filter "www.t66y.com" "usite.domain.com";
	sub_filter_once off;
}

location ~ .*.(html|htm|png|gif|jpeg|jpg|bmp|js|css)?$
{
	auth_basic "Once A Thief";
	auth_basic_user_file /usr/local/nginx/conf/.htpasswd;
	proxy_pass http://www.t66y.com;
	proxy_set_header Host www.t66y.com;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header REMOTE-HOST $remote_addr;
	proxy_set_header Accept-Encoding "";
	sub_filter "www.t66y.com" "usite.domain.com";
	sub_filter_once off;
	expires 24h;
}

2. 通过境内 VPS 反代：

nginx 关键代码：

location /
{
#	turn on auth for this location
	auth_basic "Once A Thief";
	auth_basic_user_file /usr/local/nginx/conf/.htpasswd;

	proxy_pass https://127.0.0.1:1024;
	proxy_set_header Host www.t66y.com;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header REMOTE-HOST $remote_addr;

	add_header X-Cache $upstream_cache_status;
	proxy_set_header Accept-Encoding "";
	proxy_ssl_name www.t66y.com;
	proxy_ssl_server_name on;
	sub_filter "www.t66y.com" "usite.domain.com";
	sub_filter_once off;
	expires 12h;
}

需要准备一个可以出去的 socks5 代理，v2ray,ss,trojan 随便你用什么，假设监听在本地的 1080 端口；

安装 socat：

apt install socat

测试时可用命令行：

socat -d -d TCP4-LISTEN:1024,bind=127.0.0.1,reuseaddr,fork PROXY:127.0.0.1:t66y.com:443,proxyport=1080

正式工作的 systemd service 文件：

[Unit]
Description=socat
After=network.target

[Service]
Restart=on-failure
RestartSec=5s
ExecStart=/usr/bin/socat TCP4-LISTEN:1024,bind=127.0.0.1,reuseaddr,fork PROXY:127.0.0.1:t66y.com:443,proxyport=1080

[Install]
WantedBy=multi-user.target

参考：

https://stackoverflow.com/questions/46803431/nginx-proxy-pass-over-https-proxy
https://gist.github.com/miyouzi/3e3d57cde402b829aeb1d865b14eaa1a

2022-10-10 更新：

location /
    {
        auth_basic "Once A Thief";
        auth_basic_user_file /usr/local/nginx/conf/.htpasswd;
        proxy_ssl_name www.t66y.com;
        proxy_ssl_server_name on;
        gzip on;
        gzip_min_length 1k;
        gzip_buffers 4 16k;
        gzip_comp_level 5;
        gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
        gzip_vary off;
        proxy_redirect off;
        proxy_set_header Host www.t66y.com;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass https://www.t66y.com;
        proxy_set_header Accept-Encoding "";
        sub_filter 'www.t66y.com' 'cl.249749.xyz';
        sub_filter_types text/xml;
        sub_filter_once off;
    }

这里试过反代 ifile share，cloudreve，metube 等都出现这个问题，主页面可以显示，表示反代是没有问题的，但是所有 css，js 文件都是 404，界面显示不完全，很奇怪，你说都是静态文件，但 favicon.ico 那些没问题。

原本反代代码，css/js 404 出错：

        location / {
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP       $remote_addr;
            proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_redirect off;
            proxy_pass http://127.0.0.1:808;
            add_header X-Cache $upstream_cache_status;
            add_header Cache-Control no-cache;
        }

添加以下代码，则正常：

        location ~* \.(gif|png|jpg|css|js|woff|woff2)$ {
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP       $remote_addr;
            proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_redirect off;
            proxy_pass http://127.0.0.1:808;
            expires 12h;
        }

这里有个问题，如果反代不是在 / 下，而是子目录下，比如 /metube，按照上面的写法就会影响到 / 下主站，导致主站找不到一些资源文件，我这里就出现修改后主站找不到 favicon.png 的问题，所以我就只添加 css|js 添加子目录匹配：

        location /metube/ {
            proxy_pass http://127.0.0.1:8081;
            proxy_redirect off;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $host;
        }

        location ~ ^/metube/.*\.(css|js)$ {
            proxy_pass http://127.0.0.1:8081;
            proxy_redirect off;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $host;
        }

主站 PHP 脚本都是远程调用 CDN 的 css|js，没有本地的，所以没出问题。至少这样暂时能用。

没找到问题的根本！

Specify a web root for the WebUi

redir /syncthing /syncthing/ 302
proxy /syncthing http://syncthing:8384/ {
transparent
without /syncthing
}