废话少说直接上实战:
首先是部署 rclone 二进制和生成密码:
1 2 3 4 5 6 7 |
# adduser webdav # su - webdav && mkdir rclone && cd rclone $ wget https://downloads.rclone.org/v1.61.1/rclone-v1.61.1-linux-amd64.zip $ unzip rclone-v1.61.1-linux-amd64.zip && mv rclone-v1.61.1-linux-amd64/rclone ./ && rm -rf rclone-v1.61.1-linux-amd64* $ exit # cd /home/webdav/rclone && apt-get install apache2-utils && touch htpasswd && htpasswd -B htpasswd webdav_user1 # vim /etc/systemd/system/webdav.service |
然后就是配置 systemd 进程保活,将下面的配置复制粘贴进入 vim 编辑器中:
1 2 3 4 5 6 7 8 9 10 |
[Unit] Description=my webdav service After=network.target [Service] User=webdav # Execute `systemctl daemon-reload` after ExecStart= is changed. ExecStart=/home/webdav/rclone/rclone serve webdav /home/webdav/Myspaces --addr 127.0.0.1:5000 --htpasswd /home/webdav/rclone/htpasswd [Install] WantedBy=multi-user.target |
然后将执行下面的命令验证一下服务是否正常和端口是否起来了:
1 2 3 |
# systemctl daemon-reload && systemctl start webdav && systemctl status webdav # netstat -lnptu |
再然后就是 Nginx 反代了,以下配置由军哥的 lnmp.org 旗下的 lnmp vhost add 命令生成:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 |
server { listen 80; #listen [::]:80; server_name www.webdav.sharpgan.com webdav.sharpgan.com; index index.html index.htm index.php default.html default.htm default.php; #include rewrite/none.conf; #error_page 404 /404.html; # Deny access to PHP files in specific directory #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ {deny all;} include enable-php.conf; location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ { expires 30d; } location ~ .*\.(js|css)?$ { expires 12h; } location ~ /.well-known { allow all; } location / { return 301 https://$host$request_uri; } access_log /home/wwwlogs/www.webdav.sharpgan.com.log; } server { listen 443 ssl http2; #listen [::]:443 ssl http2; server_name www.webdav.sharpgan.com webdav.sharpgan.com; index index.html index.htm index.php default.html default.htm default.php; ssl_certificate /usr/local/nginx/ssl/cer.pem; ssl_certificate_key /usr/local/nginx/ssl/pri.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5"; ssl_session_cache builtin:1000 shared:SSL:10m; # openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048 ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem; include rewrite/none.conf; #error_page 404 /404.html; # Deny access to PHP files in specific directory #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ {deny all;} error_page 405 = @app; location @app { proxy_pass http://127.0.0.1:5000; proxy_set_header X-Real-IP $remote_addr; proxy_set_header REMOTE-HOST $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_redirect off; } location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ { expires 30d; } location ~ .*\.(js|css)?$ { expires 12h; } location ~ /.well-known { allow all; } location / { proxy_pass http://127.0.0.1:5000; proxy_set_header X-Real-IP $remote_addr; proxy_set_header REMOTE-HOST $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_redirect off; } access_log /home/wwwlogs/www.webdav.sharpgan.com.log; error_log /home/wwwlogs/error.webdav.sharpgan.com.log; } |
你最好是执行一下军哥的命令生成一下,因为前者会帮你生成/usr/local/nginx/conf/ssl/dhparam.pem 这个东西,不太懂,好像跟安全有关。
上面的证书我用的是 cf 的 15 年免费的通配符证书,军哥的命令会提醒你输入证书的路径,照着提示弄就行,实在不太明白的参考一下下面这篇军哥的博客:
https://www.vpser.net/build/lnmp-wordpress-howto-3.html
我来说一下这里面最核心的部分:
1 2 3 4 5 6 7 8 9 |
location / { proxy_pass http://127.0.0.1:5000; proxy_set_header X-Real-IP $remote_addr; proxy_set_header REMOTE-HOST $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_redirect off; } |
这段 Nginx 的配置是整个反代的核心配置。
再然后就是下面这段:
1 2 3 4 5 6 7 8 9 10 |
error_page 405 = @app; location @app { proxy_pass http://127.0.0.1:5000; proxy_set_header X-Real-IP $remote_addr; proxy_set_header REMOTE-HOST $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_redirect off; } |
如果少了这一段部分应用用 POST 方法上传 js 和 png 等静态文件时 Nginx 那边会报 method not allowed: 405 错误。
这一段配置是我自己摸爬滚打参考了无数博客试验出来的,貌似全网独一无二,网上主流的做法是加一段“error_page 405 =200 http://$host$request_uri;”这样的配置,但是这个配置加了之后我常用的一个可以同步 webdav 的同步软件 goodsync 会报奇怪的错误,所以也就是说主流的做法没卵用。
最后就是配置 CF 的 DNS 解析了,相信 mjj 们都会配置我就不赘述了,这里说一个小点,就是 www.webdav.sharpgan.com 这样的 DNS 解析配置是不受 CF 的通配符证书所支持的,因为 CF 只支持域名往下一级的子域名,这里把 www. 去掉就行了。