更安全的alist手动安装挂载本机存储并使用nginx反代

alist的手动安装挂载本机存储并使用nginx反代

一、下载最新alist软件包

wget https://github.com/alist-org/alist/releases/download/v3.36.0/alist-linux-amd64.tar.gz

二、手动安装alist

1. 创建alist目录

sudo mkdir /opt/alist
#创建运行alist的用户
sudo useradd -r -s /usr/sbin/nologin -d /opt/alist -U -M alist
  • -r:创建一个系统账户。
  • -s: /usr/sbin/nologin:禁止登录。
  • -d: /opt/ddnsgo:设置用户家目录,
  • -U:创建一个同名组。
  • -M:不创建家目录。

2. 解压到alist目录

sudo tar -xzvf alist-linux-amd64.tar.gz -C /opt/alist

3. 创建alist的systemd服务

sudo tee /etc/systemd/system/alist.service << EOF
[Unit]
Description=Alist service
Wants=network.target
After=network.target network.service

[Service]
Type=simple
WorkingDirectory=/opt/alist
ExecStart=/opt/alist/alist server
KillMode=process
User=alist
Group=alist

[Install]
WantedBy=multi-user.target
EOF

4. 赋权启动alist服务修改alist配置文件

sudo chown -R alist:alist /opt/alist

#重载systemd 启动alist
sudo systemctl daemon-reload
sudo systemctl enable alist --now
#修改本地监听
sudo sed -i 's/0.0.0.0/127.0.0.1/g' /opt/alist/data/config.json
sudo systemctl restart alist
#设置admin登录密码
sudo /opt/alist/alist admin set YOUR_PASSWORD

5. 配置alist挂载本地存储

#创建本地目录
sudo mkdir /storage
sudo chown -R alist:alist /sotrage
#设置组的粘滞位权限,新文件和目录继承alist组
sudo chmod -R 2774 /storage
#将当前普通用户添加到alist组中,方便文件管理
sudo usermod -aG alist ubuntu

web页面中,驱动选择本机存储,挂载路径填/本机存储,根文件夹路径填/storage

三、配置nginx反代

接上节ddnsgo,稍作修改即可

sudo tee /etc/nginx/conf.d/alist.conf << EOF
server
    {
        listen 80;
        listen [::]:80;
        server_name yoursite;
        return 301 https://$host$request_uri;
}
server
    {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name yoursite;
        charset utf-8;

        ssl_certificate /etc/nginx/ssl/cer.pem;
        ssl_certificate_key /etc/nginx/ssl/key.pem;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
        ssl_session_cache builtin:1000 shared:SSL:10m;
        # openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
        #ssl_dhparam /etc/nginx/ssl/dhparam.pem;

        location / {
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_set_header Host $host:$server_port;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header Range $http_range;
          proxy_set_header If-Range $http_if_range;
          proxy_redirect off;
          proxy_pass http://127.0.0.1:5244;
          # the max size of file to upload
          client_max_body_size 20000m;
        }

        access_log /var/log/nginx/alist-access.log;
        error_log /var/log/nginx/alist-error.log;
    }
EOF

总结

alist完全可以不使用root用户运行,缩紧权限挂载本地存储更安全。

posted @ 2024-08-06 11:29  Holdmyhand  阅读(367)  评论(0编辑  收藏  举报