docker network create -d bridge frp-net
# ip库
wget https://download.db-ip.com/free/dbip-country-lite-2022-02.mmdb.gz
gunzip dbip-country-lite-2022-02.mmdb.gz
mv dbip-country-lite-2022-02.mmdb /etc/maxmind-country.mmdb
# 主配置文件
cd /etc/nginx/
vi nginx.conf
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 65535;
multi_accept on;
}
http {
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
log_not_found off;
types_hash_max_size 2048;
client_max_body_size 16M;
# MIME
include /etc/nginx/mime.types;
default_type application/octet-stream;
# logging
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
keepalive_timeout 65;
geoip2 /etc/maxmind-country.mmdb {
auto_reload 5m;
$geoip2_metadata_country_build metadata build_epoch;
$geoip2_data_country_code default=CN source=$remote_addr country iso_code;
$geoip2_data_country_name country names en;
}
# load configs
include /etc/nginx/conf.d/*.conf;
}
cd nginxconfig.io
vi general.conf
# gzip
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml image/jpeg image/png
# brotli
brotli on;
brotli_comp_level 6;
brotli_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
vi proxy.conf
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
# Proxy headers
proxy_set_header Upgrade $http_upgrade;
#proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header Forwarded $proxy_add_forwarded;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
# Proxy timeouts
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
vi security.conf
# security headers
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# . files
location ~ /\.(?!well-known) {
deny all;
}
cd ../conf.d/
#只能通过域名IP来源为中国的访问,其余的一律禁止访问
vi default.conf
server {
listen 80 default_server;
server_name _;
location / {
default_type text/plain;
return 200 '╮( ̄▽  ̄)╭';
error_log /dev/null;
access_log off;
}
}
vi frp_oc.conf
server {
listen 8080;
server_name xxxx.net;
# security
# include nginxconfig.io/security.conf;
# additional config
include nginxconfig.io/general.conf;
location / {
# Country Restrict
if ($geoip2_data_country_code !~ CN) {
add_header Content-Type text/plain;
return 200 '╮( ̄▽  ̄)╭';
}
include nginxconfig.io/proxy.conf;
proxy_pass http://frps:8080;
error_log /dev/null;
access_log off;
}
}
docker run --restart=always \
-p 80:80 \
-v /etc/maxmind-country.mmdb:/etc/maxmind-country.mmdb \
-v /etc/nginx/nginx.conf:/etc/nginx/nginx.conf \
-v /etc/nginx/conf.d/:/etc/nginx/conf.d/ \
-v /etc/nginx/nginxconfig.io/:/etc/nginx/nginxconfig.io/ \
--name rsnow/nginx:amd64-1.22.0
docker network connect frp-net nginx
