OPENWRT uses nginx as a web server
Everyone uses nginx as the web server on the op, mainly for its powerful reverse proxy function, but nginx on the op has made some official changes, and the configuration is a bit complicated. Several articles are also relatively old, and the configuration is also one-sided. I was confused, and the homework was not easy to copy, so I simply checked the information and learned some nginx content, and realized the following functions:
#### By default, you have completed domain name application, DDNS configuration and ssl certificate application.
Modify UCI controls
The OP added the uci configuration to the nginx configuration, so the first step is to turn off the uci configuration management.
In fact, the third reference article (official document) has made it very clear. If you need to manage nginx simply, uci is enough. If you need to configure nginx yourself, turn off uci management.
Of course it is closed:
the first elegant way is to log in to the background command line and enter:
uci set nginx.global.uci_enable=false
uci commit nginx
These two steps close uci's configuration takeover
. The second direct way is to modify /etc/config/nginx:
config main 'global'
#把这里的true修改为false就行了
option uci_enable 'false'
config server '_lan'
option server_name '_lan'
list include 'restrict_locally'
list include 'conf.d/*.locations'
option uci_manage_ssl 'self-signed'
option ssl_certificate '/etc/nginx/conf.d/_lan.crt'
option ssl_certificate_key '/etc/nginx/conf.d/_lan.key'
option ssl_session_cache 'shared:SSL:32k'
option ssl_session_timeout '64m'
option access_log 'off; # logd openwrt'
config server '_redirect2ssl'
list listen '80'
list listen '[::]:80'
option server_name '_redirect2ssl'
option return '302 https://$host$request_uri'
After the modification, nginx will no longer be managed by uci after restarting. In fact, the rest of the configuration here is the same as the regular nginx.
Solve the problem of intranet access http redirection to https
Modify the configuration file /etc/nginx/nginx.conf:
Then I will post the specific modified code block here
server { #see uci show 'nginx._lan'
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name _lan;
include restrict_locally;
include conf.d/*.locations;
ssl_certificate /etc/nginx/conf.d/_lan.crt;
ssl_certificate_key /etc/nginx/conf.d/_lan.key;
ssl_session_cache shared:SSL:32k;
ssl_session_timeout 64m;
access_log off; # logd openwrt;
}
server { #see uci show 'nginx._redirect2ssl'
listen 80;
listen [::]:80;
server_name _redirect2ssl;
return 302 https://$host$request_uri;
}
change into:
server { #see uci show 'nginx._lan'
listen 80;
listen [::]:80;
server_name _lan;
include restrict_locally;
include conf.d/*.locations;
access_log off; # logd openwrt;
}
Let me explain here. Many articles leave the virtual server configuration of _redirect2ssl. Which virtual server is reserved here does not affect the use, but there is a lan configuration in the /etc/nginx/ directory, which comes from feeling.
This is the local web side, which is the management page of the OP:
include conf.d/*.locations;
This is the filtering of the reserved network segment of the LAN, so that only the intranet ip can access the management page of the op:
include restrict_locally;
In addition, the three major domestic operators have banned a series of common ports such as port 80 and port 443 by default, which is actually very safe in a sense.
After modifying the configuration, enter the command line:
nginx -t
Check the configuration for low-level syntax errors.
Reload restart nginx command by typing:
service nginx reload
service nginx restart
At this point, the intranet access through ip will no longer force https access
Add SSL certificate
There are many online teaching you how to apply for an SSL certificate. Now many of them are automatically applied through the acme.sh script, and the other is to apply for a free SSL certificate through the domain name provider. I won’t go into details
here, and search by myself.
Adding an ssl certificate to nginx is to declare the two values of ssl_certificate and ssl_certificate_key. Here is a way to add it globally.
Modify the configuration file /etc/nginx/nginx.conf:
gzip_proxied any;
root /www;
#####将以下内容添加到配置文件中#####
# Mozilla Intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
#以下协议需要确认硬件是否支持,如果不支持或者不确定可以直接去除
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
#以下修改为自己申请的域名公钥和私钥文件地址
ssl_certificate /etc/nginx/conf.d/example.com.crt;
ssl_certificate_key /etc/nginx/conf.d/example.com.key;
#以上修改为自己申请的域名公钥和私钥文件地址
ssl_session_cache shared:SSL:32k;
ssl_session_timeout 64m;
#####将以上内容添加到配置文件中#####
server { #see uci show 'nginx._lan'
After adding, reload and restart the nginx service.
After modification, there will be a global ssl certificate statement. If you have multiple domain names that need reverse proxy, you need to configure corresponding ssl certificates for the servers corresponding to each different domain name.
Add reverse proxy
Generally speaking, if you need services from the external network, just do a port forwarding directly to the specified port of the specified ip on the internal network:
However, if nginx reverse proxy is used, the external network data must first be forwarded to the designated port on the op side, and then forwarded to the LAN ip by nginx on the op
So remember to forward the corresponding port to the local port of op in op->firewall->port forwarding:
I created an example.com.conf in the /etc/nginx/conf.d directory according to the usual practice of nginx Configuration file:
server {
#一般加ssl后缀就可以了,我这里添加了对http2协议的要求。
listen 9080 ssl http2;
listen [::]:9080 ssl http2;
#修改为自己申请的域名
server_name example.com;
location / {
#修改为自己需要代理的局域网ip和端口号
proxy_pass http://localserver:9080;
proxy_set_header Host $host;
#以下配置文件是参考配置网站生成的配置不添加也没问题
include nginxconfig.io/proxy.conf;
}
access_log on; # logd openwrt;
# location / { ... } # root location for this server.
}
添加好后测试配置是否存在语法问题,重载并重启nginx服务,如果发现通过域名访问失败时,先不要慌。
1.在内网通过nginx所在服务器加配置的端口号访问一下,确认内网服务是否正常
2.确认域名动态解析是否生效正确
3.以上都不是,那可能你开放的端口被运营商ban了,换个端口吧
这里贴出/etc/nginx/nginxconfig.io/proxy.conf的配置内容
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
# Proxy SSL
proxy_ssl_server_name on;
# Proxy headers
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
# Proxy timeouts
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
这些改动都是参考NGINX配置生成网站的demo修改的,自行斟酌添加:NGINX 配置配置高性能、安全、稳定的NGINX服务器的最简单方法.
添加外网访问http自动转为https
到这里其实已经可以正常访问了,但是如果你用http去访问一个强制https访问的端口就会出现nginx的400报错,意思你该用https访问。
这里你自然可以参考内网http强制转https的写法,但我记得我测试有点问题,我这里贴出一个最近找到的对于域名访问全部重定向为https的方法,当然你也可以修改端口为指定端口:
server {
listen example.com;
server_name example.com;
rewrite ^/(.*)$ https://$host$1 permanent;
}
主要参考文章
K3终极折腾记<三> --通过ipv6域名远程访问openwrt、https证书安装配置.
OpenWrt 上设置 nginx HTTP 不重定向到 HTTPS 以正常使用 OpenClash yacd 面板.
Nginx webserver.