Qnap docker 的V2ray + NGINX + 本機Letsencrypt 設定過程.

Rank: 3 Rank: 3 Rank: 3

2^#

發表於 2018-5-22 16:23 | 只看該作者

本帖最後由 MirageKnight 於 2018-5-22 16:28 編輯

NGINX config folder 比較麻煩. 有很多files, 也不會自動generate. 所以要先裝一次tar 了整個config出來.
裝完後, 在按落 nginx container那個command propmpt.

cd /etc/nignx
tar -zcvf nginx-config.tar.gz .
cd /usr/share/nginx/html
tar -zcvf html.tar.gz .
exit

複製代碼

ssh 進NAS. 到Container那個share folder內. 自己建立一個 "volumes" folder. 主要用來儲存docker 那些share volume.
進入 volumes. 分別建立 "nginx/conf, nginx/web, nginx/conf/certs" 這3個folder.

在 "nginx/conf" 內copy nginx container 那個config tar file出來和解壓.

docker cp nginx-1:/etc/nginx/nginx-conf.tar.gz .
tar -zxvf nginx-conf.tar.gz .
rm nignix-conf.tar.gz

複製代碼

在 "nginx/web" 內copy nginx container 那個 html tar file出來和解壓.

docker cp nginx-1:/usr/share/nignx/html/html.tar.gz .
tar -zxvf html.tar.gz .
rm html.tar.gz

複製代碼

停了並delete了那個試裝和copy config 的NGINX container. 現在要來真的了.
安裝時. 請用以下設定要點.

1. 請在advanced setting 的network 在用 "Bridge" mode, static ip. 如下圖

2. 在share folder setting在參照自己本機setting. 建立如圁中NGINX的兩個mount potin.

這樣以後要修改東西東不用copy 到 nginx的container內.

接下來便是停了nginx container. 修改configuration. 因為是由零開始. 所以config 會一步一步的加上去. 這是用來拿LetsEncrypt部份設定.

用你的方法來修改在"/share/Container/volumes/nginx/conf"(或你本機相關的folder)那個"nginx.conf". 如下.

user nginx;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
listen [::]:80;
server_name abcd.ddnsdomain.com;
# return 404 coz hosting nothing.
location / {
return 404;
}
# letsencrypt web challenge page
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /usr/share/nginx/html/letsencrypt;
}
# for security
location = /.well-known/acme-challenge/ {
return 404;
}
}
}

複製代碼

到 "/share/Container/volumes/nginx/web" 創建一個 "letsencrypt" 的folder. 留給LetsEncrypt用.

如果沒有錯漏. nginx 可以起動了. 下一part 便是LetEncrypt. 等到LetEncrypt 和 V2RAY 完成. 還會動新大改動一次ngnix 的 config.

Rank: 3 Rank: 3 Rank: 3

3^#

發表於 2018-5-22 16:23 | 只看該作者

本帖最後由 MirageKnight 於 2018-5-22 16:31 編輯

先用"File Station" Create 一個 "LetsEncrypt" 的Share folder. 在"LetsEncrypt" 內再create "certs"和"acme-tiny"這兩個folder.

上網到 "https://github.com/Yannik/qnap-letsencrypt". 我很懶寫scrip. 主要是要"renew_certificate.sh" 和 "openssl.cnf" 這兩個 file. 分別點click落去. copy and paste 落text editor. save 落去 "LetsEncrypt"內.

跟着到"https://github.com/diafygi/acme-tiny". 這次不用copy and paste. 這裡有"release" download. Click 落網頁內的 release link. download 最新版便可以. 將它unzip 到"acme-tiny"內.

以下大部份都是翻譯acme-tiny和yannik 的readme....

第一步是generate 一條 accout key. 如果你本身有letsencrypt 可以用返. 如果你知我在說什麼...不知的講就跟住做....

ssh 到 qnap nas.
到"/share/LetsEncrypt/certs" 內.

openssl genrsa 4096 > account.key

複製代碼

第二步generate 一條 domain key. 如果有舊的都可以. copy 佢到 "certs" 內. 在這裡順帶一提LetsEncryp 支援一張cert認證很多個不同的domains.

# Generate a domain private key (if you haven't already)

openssl genrsa 4096 > domain.key

複製代碼

如果你只係想generate 一個 domain. 跟以下

openssl req -new -sha256 -key domain.key -subj "/CN=yoursite.myqnapcloud.com" > domain.csr

複製代碼

如果你有幾個不同DDNS. 可以用晒同一張cert. 唔使咁煩. 可以跟以下步驟.

cp ../openssl.cnf openssl-csr-config.cnf
printf "subjectAltName=DNS:yoursite.myqnapcloud.com,DNS:yoursite.3322.com, yoursite.no-ip.com" >> openssl-csr-config.cnf
openssl req -new -sha256 -key keys/domain.key -subj "/" -reqexts SAN -config openssl-csr-config.cnf > domain.csr

複製代碼

自己修改 printf 中那幾個 yoursitex.xxxx.xxx. 可以支援很多個. 自己加就得.

第三步是修改renwew_certificate.sh.

回到"/share/LetEncrypt"

用TextEditor. 開啟"renew_certificate.sh"

修改到這樣...

#!/bin/bash
set -e
# do nothing if certificate is valid for more than 30 days (30*24*60*60)
echo "Checking whether to renew certificate on $(date -R)"
[ -s /share/LetsEncrypt/certs/signed_chain.crt ] && openssl x509 -noout -in /share/LetsEncrypt/certs/signed_chain.crt -checkend 2592000 && exit
if python -c "import SimpleHTTPServer" 2> /dev/null; then
PYTHON=python
elif "$(/sbin/getcfg Python Install_Path -f /etc/config/qpkg.conf)/bin/python2" -c "import SimpleHTTPServer" 2> /dev/null; then
PYTHON="$(/sbin/getcfg Python Install_Path -f /etc/config/qpkg.conf)/bin/python2"
elif "$(/sbin/getcfg Python Install_Path -f /etc/config/qpkg.conf)/src/bin/python2" -c "import SimpleHTTPServer" 2> /dev/null; then
PYTHON="$(/sbin/getcfg Python Install_Path -f /etc/config/qpkg.conf)/src/bin/python2"
elif "$(/sbin/getcfg Python3 Install_Path -f /etc/config/qpkg.conf)/python3/bin/python3" -c "import http.server" 2> /dev/null; then
PYTHON="$(/sbin/getcfg Python3 Install_Path -f /etc/config/qpkg.conf)/python3/bin/python3"
else
echo "Error: You need to install the python 2.7 or 3.5 qpkg!"
exit 1
fi
echo "Renewing certificate..."
#echo "Stopping Qthttpd hogging port 80.."
#/etc/init.d/Qthttpd.sh stop
#mkdir -p tmp-webroot/.well-known/acme-challenge
#cd tmp-webroot
#"$PYTHON" ../HTTPServer.py &
#pid=$!
#cd ..
#echo "Started python HTTP server with pid $pid"
export SSL_CERT_FILE=cacert.pem
#請自行修改相關pathing
"$PYTHON" /share/LetsEncrypt/acme-tiny/acme_tiny.py --account-key /share/LetsEncrypt/certs/account.key --csr /share/LetsEncrypt/certs/domain.csr --acme-dir /share/Container/volumes/nginx/web/letsencrypt/.well-known/acme-challenge > /share/LetsEncrypt/certs/signed_chain.crt
echo "Downloading intermediate certificate..."
wget --no-verbose -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > /share/LetsEncrypt/certs/intermediate.pem
#cat /share/LetsEncrypt/certs/signed_chain.crt /share/LetsEncrypt/certs/intermediate.pem > /share/LetsEncrypt/certs/chained.pem
# copy cert and key to NGINX and restart it. 請自行修改相關pathing, nginx container 個名等等...
cp /share/LetsEncrypt/certs/domain.key /share/Container/volumes/nginx/conf/certs/domain.key
cp /share/LetsEncrypt/certs/signed_chain.crt /share/Container/volumes/nginx/conf/certs/signed_chain.crt
docker container restart nginx-main
# copy new cert for qnap server.
echo "Stopping stunnel and setting new stunnel certificates..."
/etc/init.d/stunnel.sh stop
cat /share/LetsEncrypt/certs/domain.key /share/LetsEncrypt/certs/signed_chain.crt > /etc/stunnel/stunnel.pem
cp /share/LetsEncrypt/certs/intermediate.pem /etc/stunnel/uca.pem
echo "Done! Service startup and cleanup will follow now..."
/etc/init.d/stunnel.sh start
#kill -9 $pid || true
#rm -rf tmp-webroot
#/etc/init.d/Qthttpd.sh start

複製代碼

因為我用NGINX. 主要是remark了原本script 中行web sever 部份, 同時修改了file path. 如果你用的path 不同. 請自行修改.

第四步. 試行...
萬事俱備. 可以試行了. 希望大家都沒有問題.

mv /etc/stunnel/stunnel.pem /etc/stunnel/stunnel.pem.orig (backup)

複製代碼

Run renew_certificate.sh.
好像要chomd 744 renew_certificate.sh 先.

./renew_certificate.sh

複製代碼

如果順利你會見一段野出來, 當中沒有error message的. 那就恭喜你了. 有問題請自行解決或post 出來大家研究所下....

順利完成後, 你會發現"certs" folder內. 會多了"signed-chain.crt", "intermediate.pem" 這兩個 files.

設定crontab. 便可以自動update LetsEncrypt cert.

加以下的cronjob到 "/etc/config/crontab"

30 3 * * * cd /share/LetsEncrypt/ && ./renew_certificate.sh >> ./renew_certificate.log 2>&1

複製代碼

然後 run :

crontab /etc/config/crontab
/etc/init.d/crond.sh restart

複製代碼

最難度高的東西完成. 下一步是用setup V2RAY docker.

Rank: 3 Rank: 3 Rank: 3

4^#

發表於 2018-5-22 16:23 | 只看該作者

本帖最後由 MirageKnight 於 2018-5-22 16:33 編輯

V2RAY 算是最易的一部份了.

我建議安裝official v2ray那個版本. 最新最update的.

首先在"/share/Container/volumes" 加一個 "v2ray" folder. v2ray folder內加一個"conf"

在 "conf" 用 text editor edit 一個config file. 如果你已經有V2RAY docker. 你可以由container copy 出來. 參考在nignx那部份.

修改它變成行websock. 我的config file 如下.

{
"log" : {
"access": "/var/log/v2ray/access.log",
"error": "/var/log/v2ray/error.log",
"loglevel": "warning"
},
"inbound": {
"port": 46889,
"protocol": "vmess",
"settings": {
"clients": [
{
"id": "27c05b31-fd5e-4dbf-xxxx-9ba9d14f80be", #請用自己的uuid. 我估你知係乜來. 唔知google 下
"level": 1,
"alterId": 64
}
]
},
"streamSettings": {
"network": "ws",
"security": "auto",
"wsSettings": {
"connectionReuse": false,
"path": "/letmefree/"
}
}
},
"outbound": {
"protocol": "freedom",
"settings": {}
},
"inboundDetour": [
{
"protocol": "shadowsocks",
"port": 184774,
"settings": {
"method": "aes-256-cfb",
"password": "your password for SS backup connection",
"udp": true,
"level": 1
}
},
{
"protocol": "shadowsocks",
"port": 18471,
"settings": {
"method": "aes-256-cfb",
"password": "your password for SS backup connection",
"udp": true,
"level": 1
}
}
],
"outboundDetour": [{
"protocol": "blackhole",
"settings": {},
"tag": "blocked"
}],
"routing": {
"strategy": "rules",
"settings": {
"rules": [{
"type": "field",
"ip": [
"0.0.0.0/8",
"10.0.0.0/8",
"100.64.0.0/10",
"127.0.0.0/8",
"169.254.0.0/16",
"172.16.0.0/12",
"192.0.0.0/24",
"192.0.2.0/24",
"192.168.0.0/16",
"198.18.0.0/15",
"198.51.100.0/24",
"203.0.113.0/24",
"::1/128",
"fc00::/7",
"fe80::/10"
],
"outboundTag": "blocked"
}]
}
}
}

複製代碼

請自行修改config file. 以上只作參考. websock 主要是在"streamingSettings" 那一部份.

有了config file. 那便開始安裝.

在安裝時一樣是用Bridge mode. 也設是一個在host的folder 給它作config file mount point.

如圖.

如果config file沒有問題. V2RAY 便順利完成. 最最後一步. 修改NGINX config.

用text editor 修改"/share/Container/volumes/nginx/conf/nginx.conf".

以下config只作參考.

user nginx;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
#這樣的設定會redirect 所有80 port 的http. 去 443 port 的https. 請放心. letsencrp 支援 https 的 challange的.
server {
listen 80;
listen [::]:80;
server_name yoursite.myqnapcloud.com;
return 301 https://yoursite.myqnapcloud.com$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443;
server_name yoursite.myqnapcloud.com;
ssl on;
ssl_certificate /etc/nginx/certs/signed_chain.crt;
ssl_certificate_key /etc/nginx/certs/domain.key;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;
ssl_prefer_server_ciphers on;
# proxy your web site, 修改當中的 "https://" 去你的web server https port. 如果你沒有host webserver. 可以改成" return 404;:
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass https://your.nas.webpage.https.ip.address:8080/;
}
# letsencrypt web challenge page
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /usr/share/nginx/html/letsencrypt;
}
# for security
location = /.well-known/acme-challenge/ {
return 404;
}
# for V2RAY. 請跟足那幾句" proxy_" setting. 這樣nginx才會用websock pass data 去V2RAY. 自行修改"proxy_pass" 到你的V2RAY docker ip 和 listen port.
location /letmefree/ {
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_pass http://v2raydockerip:46889;
}
}
}

複製代碼

修改完成後. restart NGINX 這個container. 如果沒有問題便完工.

你可以用不同的 V2RAY client來試了.

記得要enable "MUX".
address入返你個DDNS或ip.
v2ray 的PORT 是443.
用返和server一樣的UID 和alterid.
security 用 "aes-128-cfb"
network 選 "ws/websock"
path 入返你在nginx和v2ray 一樣的patch . 上面用 "/letmefree/"
tls 請選 "tls".

咁樣就完成.

Rank: 3 Rank: 3 Rank: 3

5^#

發表於 2018-5-22 16:23 | 只看該作者

本帖最後由 MirageKnight 於 2018-5-23 00:55 編輯

大至上就是這樣. 如果你係docker 高手. 可以用docker compose 搞好野D config.
還有就是活用 docker share host volume/foder功能. 有好多docker 好好用.
如果你是用qnapcloud 係可以用 nginx 來proxy 返去 NAS 那個apache server.

account key 可以keep 住用, domain key 一樣. 除非你加個D domain 有變. 如果有變只要重做 generate domain.csr個一part. run 個script 就得. 當然要remark 一 remark check cert到期先來regernate. regernate完又記得 delete返remark.... set好cron job. 每日都會都同check . 張cert到期日少個30日會連上letsencrypt 做renew.

順帶一提. V2RAY 的 vmess 時有time stamp. 所以 client 同 server 唔好有超過5分鐘的時差相距.