server {
# 监听IPv4,并开启Proxy Protocol协议
listen 4443 ssl proxy_protocol;
# 监听IPv6,并开启Proxy Protocol协议
listen [::]:4443 ssl proxy_protocol;
# 监听的域名,你解析给云服务器的域名
server_name bs.home.com;
# 排除Cloudflare CDN的IP
# 如果你有使用到CDN的服务的话,一般NAS不会使用到此类IP
# 仅供参考
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2a06:98c0::/29;
set_real_ip_from 2c0f:f248::/32;
# 排除本地IP,请根据你的具体情况配置
set_real_ip_from 192.168.0.0/16;
set_real_ip_from 172.17.0.0/16;
set_real_ip_from 127.0.0.0/8;
# 排除服务器IP
set_real_ip_from 1.1.1.1/32;
# 真实IP使用proxy_protocol协议
real_ip_header proxy_protocol;
# 开启排除IP功能
real_ip_recursive on;
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
# 反向代理
location / {
# 目标地址,实际可以访问的群晖内网默认HTTPS地址及端口,请根据实际情况调整
proxy_pass https://192.168.1.88:84443;
# 兼容http
# proxy_set_header Upgrade-Insecure-Requests 1;
# 告诉后端使用ssl
proxy_ssl_server_name on;
# 客户端使用的http协议
proxy_set_header X–Forwarded–Proto $scheme;
proxy_set_header X–Scheme $scheme;
# 客户端host
proxy_set_header Host $host;
proxy_set_header REMOTE–HOST $remote_addr;
proxy_set_header X–Forwarded–Host $http_host;
# 完整URI
proxy_set_header X–Original–URI $request_uri;
# 客户端使用的端口
proxy_set_header X–Real–Port $proxy_protocol_port;
# 多层代理IP
proxy_set_header X–Forwarded–For $proxy_protocol_addr;
# 客户端IP,群晖默认会通过X-Real-IP获取用户IP
proxy_set_header X–Real–IP $proxy_protocol_addr;
# 支持Websocket
# 如果你使用诸如Docker bash此类的功能,则需要开启Websocket
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection Upgrade;
proxy_connect_timeout 60s;
proxy_read_timeout 60s;
proxy_send_timeout 12s;
# 配置文件来自https://www.alainlam.cn/?p=403
}
原文链接:https://cutepig.net/archives/6339