ddns-go手动安装,配置acme获取证书,nginx反代
ddns-go的手动安装并使用nginx反代
一、下载最新ddngo软件包
wget https://github.com/jeessy2/ddns-go/releases/download/v6.6.7/ddns-go_6.6.7_linux_x86_64.tar.gz
二、手动安装ddnsgo
1. 创建ddnsgo目录
sudo mkdir /opt/ddnsgo
#创建运行ddnsgo的用户
sudo useradd -r -s /usr/sbin/nologin -d /opt/ddnsgo -U -M ddnsgo
-r:创建一个系统账户。-s: /usr/sbin/nologin:禁止登录。-d: /opt/ddnsgo:设置用户家目录,-U:创建一个同名组。-M:不创建家目录。
2. 解压到ddnsgo目录
sudo tar -xzvf ddns-go_6.6.7_linux_x86_64.tar.gz -C /opt/ddnsgo
3. 创建ddnsgo的配置文件
#/opt/ddnsgo/.ddns_go_config.yaml (tee -a追加append)
sudo tee /opt/ddnsgo/.ddns_go_config.yaml << EOF
dnsconf:
- name: cloudflare
ipv4:
enable: false
gettype: url
url: https://myip.ipip.net, https://ddns.oray.com/checkip, https://ip.3322.net, https://4.ipw.cn
netinterface: ""
cmd: ""
domains:
- ""
ipv6:
enable: false
gettype: url
url: https://speed.neu6.edu.cn/getIP.php, https://v6.ident.me, https://6.ipw.cn
netinterface: ""
cmd: ""
ipv6reg: ""
domains:
- ""
dns:
name: cloudflare
id: ""
secret: yourtoken
ttl: ""
user:
username:
password:
webhook:
webhookurl: ""
webhookrequestbody: ""
webhookheaders: ""
notallowwanaccess: false
lang: zh
EOF
#赋权
sudo chown -R ddnsgo:ddnsgo /opt/ddnsgo
sudo chmod 600 /opt/ddnsgo/.ddns_go_config.yaml
4. 创建ddnsgo的systemd服务
#使ddnsgo监听本地即可
sudo tee /etc/systemd/system/ddns-go.service << EOF
[Unit]
Description=Simple and easy to use DDNS. Automatically update domain name resolution to public IP (Support Aliyun, Tencent Cloud, Dnspod, Cloudflare, Callback, Huawei Cloud, Baidu Cloud, Porkbun, GoDaddy...)
ConditionFileIsExecutable=/opt/ddnsgo/ddns-go
Requires=network.target
After=network-online.target
[Service]
StartLimitInterval=5
StartLimitBurst=10
ExecStart=/opt/ddns-go/ddns-go "-l" "127.0.0.1:9876" "-f" "300" "-cacheTimes" "5" "-c" "/opt/ddnsgo/.ddns_go_config.yaml"
User=ddnsgo
Group=ddnsgo
Restart=always
RestartSec=120
EnvironmentFile=-/etc/sysconfig/ddns-go
[Install]
WantedBy=multi-user.target
EOF
#重载systemd 启动ddnsgo
sudo systemctl daemon-reload
sudo systemctl enable ddnsgo --now
三、安装acme自动申请证书
1. 安装acme
sudo apt install cron
sudo curl https://get.acme.sh | sh -s email=yourmail@xx.com --force
sudo source ~/.bashrc
2. 手动添加cf token
#token方式 编辑account.conf
echo "SAVED_CF_Token='yourtoken'" | sudo tee -a /root/.acme.sh/account.conf
3. 更换默认CA机构
#这里选择 Let's Encrypt
sudo acme.sh --set-default-ca --server letsencrypt
4. 获取证书并安装
#使用cf的dnsapi
acme.sh --issue --dns dns_cf -d *.yoursite.xyz
#安装证书 nginx先得安装好并创建ssl目录
acme.sh --install-cert -d *.yoursite.xyz \
--key-file /etc/nginx/ssl/key.pem \
--fullchain-file /etc/nginx/ssl/cer.pem \
#全自动更新证书
acme.sh --issue --dns dns_cf -d *.yoursite.xyz \
--renew-hook "acme.sh --install-cert -d *.yoursite.xyz \
--key-file /etc/nginx/ssl/key.pem \
--fullchain-file /etc/nginx/ssl/cer.pem \
--reloadcmd \"systemctl reload nginx\""
后续acme.sh就可以自动更新证书并安装了
四、配置nginx反代
1. 安装nginx
#这个就不说了吧
sudo apt install nginx
sudo systemctl enable nginx.service --now
2. 增加反代配置文件ddnsgo.conf
sudo tee /etc/nginx/conf.d/ddnsgo.conf << EOF
server
{
listen 80;
listen [::]:80;
server_name yoursite.xyz;
return 301 https://$host$request_uri;
}
server
{
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name yoursite.xyz;
charset utf-8;
ssl_certificate /etc/nginx/ssl/cer.pem;
ssl_certificate_key /etc/nginx/ssl/key.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_session_cache builtin:1000 shared:SSL:10m;
# openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
#ssl_dhparam /etc/nginx/ssl/dhparam.pem;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
proxy_redirect off;
proxy_pass http://127.0.0.1:9876;
# the max size of file to upload
client_max_body_size 20000m;
}
access_log /var/log/nginx/ddnsgo-access.log;
error_log /var/log/nginx/ddnsgo-error.log;
}
EOF
3.检查配置文件重载nginx
#检查配置文件无误
sudo nginx -t
#重载nginx
sudo systemd reload nginx
五、为nginx配置logrotate日志轮转
1. 安装logrotate
sudo apt update
sudo apt install logrotate
2. 配置Nginx的logrotate
默认情况下,logrotate已经提供了Nginx的日志轮转配置文件,位于/etc/logrotate.d/nginx
/var/log/nginx/*.log {
daily
missingok
rotate 14
compress
delaycompress
notifempty
create 0640 www-data adm
sharedscripts
postrotate
[ -s /run/nginx.pid ] && kill -USR1 `cat /run/nginx.pid`
endscript
}
/var/log/nginx/*.log: 指定要轮转的日志文件路径。Nginx日志通常位于/var/log/nginx/目录下。daily: 日志轮转的频率,这里设置为每天。你也可以使用weekly或monthly。missingok: 如果日志文件丢失,不会报错继续进行。rotate 14: 保留14个轮转的日志文件(即保留14天的日志)。compress: 轮转后的日志文件进行压缩。delaycompress: 推迟一个轮转周期压缩日志文件,这样保证当前日志文件和最近一个日志文件不被压缩。notifempty: 如果日志文件为空,则不进行轮转。create 0640 www-data adm: 轮转后创建新的日志文件,并设置文件权限和所属用户组。sharedscripts: 如果在这个配置块中有多个日志文件匹配模式,则确保所有日志文件轮转后才执行postrotate脚本。postrotate ... endscript: 在日志轮转后执行的脚本,这里通过向Nginx主进程发送USR1信号通知Nginx重新打开日志文件。[ -s /run/nginx.pid ]用于检查Nginx的PID文件是否存在并且大小非零。
3. 手动测试 logrotate 配置
在设置完成后,可以手动测试logrotate配置以确保它正常工作:
sudo logrotate -d /etc/logrotate.d/nginx
-d 选项用于调试模式,不会实际轮转日志文件,只会显示轮转过程。
如果一切看起来正常,可以强制执行一次日志轮转:
sudo logrotate -f /etc/logrotate.d/nginx
总结
ddnsgo使用无法登录的普通用户运行相较于直接使用root运行更安全,同时配置ddnsgo只监听本地,可以避免ddnsgo端口暴露公网。配置了acme自动获取证书,使用nginx反向代理可以实现https的访问。最后使用logrotate使nginx日志文件更加合理,方便管理。
