搭建内网穿透服务
本文章转摘自大神的博客 https://blog.52itstyle.vip/archives/3987/
软硬清单
- 云服务器一枚
- 备案域名一枚
- 开源 Nginx、Dcoker、Ngrok
在服务器上找一个目录,创建下面几个文件
├── build.sh ├── docker-compose.yml ├── Dockerfile └── server.sh
Dockerfile
FROM golang:1.7.1-alpine MAINTAINER hteen <i@hteen.cn> RUN apk add --no-cache git make openssl RUN git clone https://github.com/inconshreveable/ngrok.git /ngrok ADD *.sh / ENV DOMAIN **None** ENV MY_FILES /myfiles ENV TUNNEL_ADDR :4443 ENV HTTP_ADDR :80 ENV HTTPS_ADDR :443 EXPOSE 4443 EXPOSE 80 EXPOSE 443 CMD /bin/sh
build.sh 配置:
#!/bin/sh set -e if [ "${DOMAIN}" == "**None**" ]; then echo "Please set DOMAIN" exit 1 fi cd ${MY_FILES} if [ ! -f "${MY_FILES}/base.pem" ]; then openssl genrsa -out base.key 2048 openssl req -new -x509 -nodes -key base.key -days 10000 -subj "/CN=${DOMAIN}" -out base.pem openssl genrsa -out device.key 2048 openssl req -new -key device.key -subj "/CN=${DOMAIN}" -out device.csr openssl x509 -req -in device.csr -CA base.pem -CAkey base.key -CAcreateserial -days 10000 -out device.crt fi cp -r base.pem /ngrok/assets/client/tls/ngrokroot.crt cd /ngrok make release-server GOOS=linux GOARCH=386 make release-client GOOS=linux GOARCH=amd64 make release-client GOOS=windows GOARCH=386 make release-client GOOS=windows GOARCH=amd64 make release-client GOOS=darwin GOARCH=386 make release-client GOOS=darwin GOARCH=amd64 make release-client GOOS=linux GOARCH=arm make release-client cp -r /ngrok/bin ${MY_FILES}/bin echo "build ok !"
server.sh 配置:
#!/bin/sh set -e if [ "${DOMAIN}" == "**None**" ]; then echo "Please set DOMAIN" exit 1 fi if [ ! -f "${MY_FILES}/bin/ngrokd" ]; then echo "ngrokd is not build,will be build it now..." /bin/sh /build.sh fi ${MY_FILES}/bin/ngrokd -tlsKey=${MY_FILES}/device.key -tlsCrt=${MY_FILES}/device.crt -domain="${DOMAIN}" -httpAddr=${HTTP_ADDR} -httpsAddr=${HTTPS_ADDR} -tunnelAddr=${TUNNEL_ADDR}
docker-compose.yml 配置:
server: image: hteen/ngrok ports: - "8082:80" - "4432:443" - "4443:4443" volumes: - /data/ngrok:/myfiles environment: - DOMAIN="tunnel.hteen.cn" command: /bin/sh /server.sh
然后,构建镜像:
docker build -t hteen/ngrok .
启动
- 我们需要挂载宿机目录(E.g /data/ngrok)到容器的/myfiles目录
- 第一次运行,它将会在/data/ngrok目录下生成二进制文件和CA证书
sudo docker run --rm -it -e DOMAIN="ngrok.52itstyle.vip" -v /data/ngrok:/myfiles hteen/ngrok /bin/sh /build.sh
安装成功会出现以下提示(省略中间过程):
Generating RSA private key, 2048 bit long modulus .............................+++ .............................+++ e is 65537 (0x10001) Generating RSA private key, 2048 bit long modulus ...............................+++ ...............................+++ go get -tags 'release' -d -v ngrok/... go install -tags 'release' ngrok/main/ngrok build ok !
客户端和服务端生成在/data/ngrok/bin目录下:
├── darwin_386 │ └── ngrok ├── darwin_amd64 │ └── ngrok ├── go-bindata ├── linux_386 │ └── ngrok ├── linux_arm │ └── ngrok ├── ngrok ├── ngrokd ├── windows_386 │ └── ngrok.exe └── windows_amd64 └── ngrok.exe
启动Ngrok server
由于ngrok默认使用80和443端口,这里我们使用Nginx服务做转发,通过端口映射的方式访问Docker容器(参考docker-compose.yml配置)。
docker run -idt --name ngrok-server \ -v /data/ngrok:/myfiles \ -p 8082:80 \ -p 4432:443 \ -p 4443:4443 \ -e DOMAIN='ngrok.52itstyle.com' hteen/ngrok /bin/sh /server.sh
启动之后需要在nginx.conf 添加两条反向代理配置(HTTPS请求自行配置):
server { listen 80; server_name ngrok.52itstyle.vip *.ngrok.52itstyle.vip; location / { proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://127.0.0.1:8082; } }
配置DNS解析
服务启动后,要想正常运行,我们还需要添加两条A记录到云服务器(替换成自己的IP地址):
启动Ngrok client
首先从data/ngrok/bin目录下载各个环境下的客户端。
windows 测试
首先创建一个 ngrok.yml 配置文件:
server_addr: "ngrok.52itstyle.vip:4443" trust_host_root_certs: false tunnels: doc: proto: http: "8080" auth: "admin:admin" # 访问账号密码,可以注释不用密码 owncloud: proto: http: "8081"
使用cmd命令切换到对应的目录下,然后执行以下命令:
ngrok.exe -config=ngrok.yml start doc # 启动单个服务
ngrok.exe -config=ngrok.yml start-all #启动所有服务
如果出现以下界面,说明安装成功:
Tunnel Status online Version 1.7/1.7 Forwarding http://doc.ngrok.52itstyle.vip -> 127.0.0.1:8080 Web Interface 127.0.0.1:4040 # Conn 0 Avg Conn Time 0.00ms
注意事项
- 防火墙需要开放4443端口,否则是无法连接成功的