fix: use webroot nginx site for acme.sh certificate issuance
Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
@@ -1,108 +1,109 @@
|
|||||||
# jiedian — VPS 自建节点
|
# jiedian — VPS 自建节点
|
||||||
|
|
||||||
个人/家庭自用的 **VLESS + Reality(主力)** + **Hysteria2(备用)** 双栈方案,基于 [sing-box](https://github.com/SagerNet/sing-box)。
|
个人/家庭自用的 **VLESS + Reality(主力)** + **Hysteria2(备用)** 双栈方案,基于 [sing-box](https://github.com/SagerNet/sing-box)。
|
||||||
|
|
||||||
**仓库**:https://git.bz121.com/dekun/jiedian.git
|
**仓库**:https://git.bz121.com/dekun/jiedian.git
|
||||||
**部署路径**:`/opt/jiedian`(Ubuntu)
|
**部署路径**:`/opt/jiedian`(Ubuntu)
|
||||||
|
|
||||||
| 项目 | 值 |
|
| 项目 | 值 |
|
||||||
|------|-----|
|
|------|-----|
|
||||||
| VPS IP | `47.76.87.111` |
|
| VPS IP | `47.76.87.111` |
|
||||||
| 域名 | `66.hyf2.cc` |
|
| 域名 | `66.hyf2.cc` |
|
||||||
|
|
||||||
> 完整部署步骤见 **[docs/DEPLOY.md](docs/DEPLOY.md)**
|
> 完整部署步骤见 **[docs/DEPLOY.md](docs/DEPLOY.md)**
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## 快速部署(Ubuntu VPS)
|
## 快速部署(Ubuntu VPS)
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
ssh root@47.76.87.111
|
ssh root@47.76.87.111
|
||||||
|
|
||||||
apt update && apt install -y git
|
apt update && apt install -y git
|
||||||
git clone https://git.bz121.com/dekun/jiedian.git /opt/jiedian
|
git clone https://git.bz121.com/dekun/jiedian.git /opt/jiedian
|
||||||
cd /opt/jiedian
|
cd /opt/jiedian
|
||||||
bash scripts/install.sh
|
bash scripts/install.sh
|
||||||
```
|
```
|
||||||
|
|
||||||
安装完成后:
|
安装完成后:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
cat /opt/jiedian/client/generated/share-links.txt
|
cat /opt/jiedian/client/generated/share-links.txt
|
||||||
```
|
```
|
||||||
|
|
||||||
客户端导入见 [docs/client-import.md](docs/client-import.md)。
|
客户端导入见 [docs/client-import.md](docs/client-import.md)。
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## 架构
|
## 架构
|
||||||
|
|
||||||
```
|
```
|
||||||
客户端 (Win/iOS/Android)
|
客户端 (Win/iOS/Android)
|
||||||
│
|
│
|
||||||
├─ TCP 443 ──► sing-box VLESS+Reality ──► 直连出站
|
├─ TCP 443 ──► sing-box VLESS+Reality ──► 直连出站
|
||||||
│
|
│
|
||||||
└─ UDP 8443 ─► sing-box Hysteria2 ─────► 直连出站
|
└─ UDP 8443 ─► sing-box Hysteria2 ─────► 直连出站
|
||||||
|
|
||||||
Nginx 127.0.0.1:8080 ← 伪装静态页(fallback)
|
Nginx 127.0.0.1:8080 ← 伪装静态页(fallback)
|
||||||
```
|
```
|
||||||
|
|
||||||
详细选型见 [docs/STACK.md](docs/STACK.md)。
|
详细选型见 [docs/STACK.md](docs/STACK.md)。
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## 目录结构
|
## 目录结构
|
||||||
|
|
||||||
```
|
```
|
||||||
/opt/jiedian/
|
/opt/jiedian/
|
||||||
├── .env # 环境变量(IP/域名/密钥,已预填)
|
├── .env # 环境变量(IP/域名/密钥,已预填)
|
||||||
├── scripts/
|
├── scripts/
|
||||||
│ ├── generate-keys.sh # 生成 UUID / Reality 密钥 / Hy2 密码
|
│ ├── generate-keys.sh # 生成 UUID / Reality 密钥 / Hy2 密码
|
||||||
│ ├── install.sh # 一键部署
|
│ ├── install.sh # 一键部署
|
||||||
│ └── render-client.sh # 本地渲染客户端配置
|
│ └── render-client.sh # 本地渲染客户端配置
|
||||||
├── server/
|
├── server/
|
||||||
│ ├── sing-box.json.template
|
│ ├── sing-box.json.template
|
||||||
│ └── nginx/ # fallback 伪装站
|
│ └── nginx/ # fallback 伪装站
|
||||||
├── client/
|
├── client/
|
||||||
│ └── sing-box-client.json.template
|
│ └── sing-box-client.json.template
|
||||||
└── docs/
|
└── docs/
|
||||||
├── DEPLOY.md # Ubuntu 部署指南(主文档)
|
├── DEPLOY.md # Ubuntu 部署指南(主文档)
|
||||||
├── client-import.md # 客户端导入
|
├── client-import.md # 客户端导入
|
||||||
└── troubleshooting.md # 故障排查
|
└── troubleshooting.md # 故障排查
|
||||||
```
|
```
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## 端口与防火墙
|
## 端口与防火墙
|
||||||
|
|
||||||
| 端口 | 协议 | 用途 |
|
| 端口 | 协议 | 用途 |
|
||||||
|------|------|------|
|
|------|------|------|
|
||||||
| 22 | TCP | SSH |
|
| 22 | TCP | SSH |
|
||||||
| 443 | TCP | VLESS + Reality |
|
| 80 | TCP | HTTP(Let's Encrypt 证书验证) |
|
||||||
| 8443 | UDP | Hysteria2 |
|
| 443 | TCP | VLESS + Reality |
|
||||||
|
| 8443 | UDP | Hysteria2 |
|
||||||
---
|
|
||||||
|
---
|
||||||
## 常用运维
|
|
||||||
|
## 常用运维
|
||||||
```bash
|
|
||||||
systemctl status sing-box
|
```bash
|
||||||
journalctl -u sing-box -f
|
systemctl status sing-box
|
||||||
sing-box check -c /etc/sing-box/config.json && systemctl restart sing-box
|
journalctl -u sing-box -f
|
||||||
/root/.acme.sh/acme.sh --renew -d 66.hyf2.cc --force
|
sing-box check -c /etc/sing-box/config.json && systemctl restart sing-box
|
||||||
```
|
/root/.acme.sh/acme.sh --renew -d 66.hyf2.cc --force
|
||||||
|
```
|
||||||
---
|
|
||||||
|
---
|
||||||
## 防墙要点
|
|
||||||
|
## 防墙要点
|
||||||
1. 不要公开分享节点链接
|
|
||||||
2. Reality SNI 使用 `www.microsoft.com`,不要用 `66.hyf2.cc`
|
1. 不要公开分享节点链接
|
||||||
3. 客户端开启 uTLS / chrome 指纹
|
2. Reality SNI 使用 `www.microsoft.com`,不要用 `66.hyf2.cc`
|
||||||
4. 被封后:换 serverName → 换 IP → 换 VPS 地区
|
3. 客户端开启 uTLS / chrome 指纹
|
||||||
|
4. 被封后:换 serverName → 换 IP → 换 VPS 地区
|
||||||
---
|
|
||||||
|
---
|
||||||
## 免责声明
|
|
||||||
|
## 免责声明
|
||||||
本项目仅供学习网络技术使用。请遵守当地法律法规。
|
|
||||||
|
本项目仅供学习网络技术使用。请遵守当地法律法规。
|
||||||
|
|||||||
+166
-166
@@ -1,166 +1,166 @@
|
|||||||
# Ubuntu 部署指南
|
# Ubuntu 部署指南
|
||||||
|
|
||||||
仓库:[https://git.bz121.com/dekun/jiedian.git](https://git.bz121.com/dekun/jiedian.git)
|
仓库:[https://git.bz121.com/dekun/jiedian.git](https://git.bz121.com/dekun/jiedian.git)
|
||||||
|
|
||||||
| 项目 | 值 |
|
| 项目 | 值 |
|
||||||
|------|-----|
|
|------|-----|
|
||||||
| VPS IP | `47.76.87.111` |
|
| VPS IP | `47.76.87.111` |
|
||||||
| 域名 | `66.hyf2.cc` |
|
| 域名 | `66.hyf2.cc` |
|
||||||
| 部署目录 | `/opt/jiedian` |
|
| 部署目录 | `/opt/jiedian` |
|
||||||
| 系统 | Ubuntu 22.04 / 24.04 |
|
| 系统 | Ubuntu 22.04 / 24.04 |
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## 部署前准备
|
## 部署前准备
|
||||||
|
|
||||||
### 1. DNS 解析
|
### 1. DNS 解析
|
||||||
|
|
||||||
在域名控制台添加 **A 记录**:
|
在域名控制台添加 **A 记录**:
|
||||||
|
|
||||||
```
|
```
|
||||||
66.hyf2.cc → 47.76.87.111
|
66.hyf2.cc → 47.76.87.111
|
||||||
```
|
```
|
||||||
|
|
||||||
验证(本地或 VPS 上执行):
|
验证(本地或 VPS 上执行):
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
dig +short A 66.hyf2.cc
|
dig +short A 66.hyf2.cc
|
||||||
# 应返回 47.76.87.111
|
# 应返回 47.76.87.111
|
||||||
```
|
```
|
||||||
|
|
||||||
### 2. SSH 登录 VPS
|
### 2. SSH 登录 VPS
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
ssh root@47.76.87.111
|
ssh root@47.76.87.111
|
||||||
```
|
```
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## 一键部署(推荐)
|
## 一键部署(推荐)
|
||||||
|
|
||||||
在 VPS 上以 **root** 执行:
|
在 VPS 上以 **root** 执行:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# 安装 git
|
# 安装 git
|
||||||
apt update && apt install -y git
|
apt update && apt install -y git
|
||||||
|
|
||||||
# 克隆到 /opt/jiedian
|
# 克隆到 /opt/jiedian
|
||||||
git clone https://git.bz121.com/dekun/jiedian.git /opt/jiedian
|
git clone https://git.bz121.com/dekun/jiedian.git /opt/jiedian
|
||||||
cd /opt/jiedian
|
cd /opt/jiedian
|
||||||
|
|
||||||
# .env 已预填 IP/域名/密钥,直接安装
|
# .env 已预填 IP/域名/密钥,直接安装
|
||||||
bash scripts/install.sh
|
bash scripts/install.sh
|
||||||
```
|
```
|
||||||
|
|
||||||
安装完成后查看节点链接:
|
安装完成后查看节点链接:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
cat /opt/jiedian/client/generated/share-links.txt
|
cat /opt/jiedian/client/generated/share-links.txt
|
||||||
```
|
```
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## 分步部署(如需手动控制)
|
## 分步部署(如需手动控制)
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
apt update && apt install -y git
|
apt update && apt install -y git
|
||||||
git clone https://git.bz121.com/dekun/jiedian.git /opt/jiedian
|
git clone https://git.bz121.com/dekun/jiedian.git /opt/jiedian
|
||||||
cd /opt/jiedian
|
cd /opt/jiedian
|
||||||
|
|
||||||
# 检查 .env(已预配置,一般无需修改)
|
# 检查 .env(已预配置,一般无需修改)
|
||||||
cat .env
|
cat .env
|
||||||
|
|
||||||
# 若需重新生成密钥
|
# 若需重新生成密钥
|
||||||
bash scripts/generate-keys.sh
|
bash scripts/generate-keys.sh
|
||||||
|
|
||||||
# 执行安装
|
# 执行安装
|
||||||
bash scripts/install.sh
|
bash scripts/install.sh
|
||||||
```
|
```
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## 安装脚本做了什么
|
## 安装脚本做了什么
|
||||||
|
|
||||||
1. 安装 sing-box、nginx、ufw
|
1. 安装 sing-box、nginx、ufw
|
||||||
2. 防火墙放行:`22/tcp`、`443/tcp`、`8443/udp`
|
2. 防火墙放行:`22/tcp`、`443/tcp`、`8443/udp`
|
||||||
3. Nginx 伪装站监听 `127.0.0.1:8080`
|
3. Nginx 伪装站监听 `127.0.0.1:8080`
|
||||||
4. acme.sh 为 `66.hyf2.cc` 申请 Let's Encrypt 证书
|
4. acme.sh 为 `66.hyf2.cc` 申请 Let's Encrypt 证书
|
||||||
5. 生成 `/etc/sing-box/config.json` 并启动 systemd 服务
|
5. 生成 `/etc/sing-box/config.json` 并启动 systemd 服务
|
||||||
6. 输出客户端分享链接到 `client/generated/share-links.txt`
|
6. 输出客户端分享链接到 `client/generated/share-links.txt`
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## 节点信息
|
## 节点信息
|
||||||
|
|
||||||
| 节点 | 协议 | 地址 | 端口 |
|
| 节点 | 协议 | 地址 | 端口 |
|
||||||
|------|------|------|------|
|
|------|------|------|------|
|
||||||
| 主力 | VLESS + Reality | `47.76.87.111` | 443/TCP |
|
| 主力 | VLESS + Reality | `47.76.87.111` | 443/TCP |
|
||||||
| 备用 | Hysteria2 | `66.hyf2.cc` | 8443/UDP |
|
| 备用 | Hysteria2 | `66.hyf2.cc` | 8443/UDP |
|
||||||
|
|
||||||
Reality 伪装 SNI:`www.microsoft.com`(不是你的域名)
|
Reality 伪装 SNI:`www.microsoft.com`(不是你的域名)
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## 部署后验证
|
## 部署后验证
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# sing-box 运行状态
|
# sing-box 运行状态
|
||||||
systemctl status sing-box
|
systemctl status sing-box
|
||||||
|
|
||||||
# 端口监听
|
# 端口监听
|
||||||
ss -tlnp | grep 443
|
ss -tlnp | grep 443
|
||||||
ss -ulnp | grep 8443
|
ss -ulnp | grep 8443
|
||||||
|
|
||||||
# 配置语法检查
|
# 配置语法检查
|
||||||
sing-box check -c /etc/sing-box/config.json
|
sing-box check -c /etc/sing-box/config.json
|
||||||
|
|
||||||
# 查看日志
|
# 查看日志
|
||||||
journalctl -u sing-box -f
|
journalctl -u sing-box -f
|
||||||
```
|
```
|
||||||
|
|
||||||
客户端导入见 [client-import.md](client-import.md)。
|
客户端导入见 [client-import.md](client-import.md)。
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## 常用运维
|
## 常用运维
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
cd /opt/jiedian
|
cd /opt/jiedian
|
||||||
|
|
||||||
# 拉取最新配置(若仓库有更新)
|
# 拉取最新配置(若仓库有更新)
|
||||||
git pull
|
git pull
|
||||||
|
|
||||||
# 重新安装/更新
|
# 重新安装/更新
|
||||||
bash scripts/install.sh
|
bash scripts/install.sh
|
||||||
|
|
||||||
# 证书手动续期
|
# 证书手动续期
|
||||||
/root/.acme.sh/acme.sh --renew -d 66.hyf2.cc --force
|
/root/.acme.sh/acme.sh --renew -d 66.hyf2.cc --force
|
||||||
systemctl restart sing-box
|
systemctl restart sing-box
|
||||||
```
|
```
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## 故障排查
|
## 故障排查
|
||||||
|
|
||||||
| 问题 | 处理 |
|
| 问题 | 处理 |
|
||||||
|------|------|
|
|------|------|
|
||||||
| `set: pipefail: invalid option` | Windows 换行符问题,执行:`sed -i 's/\r$//' scripts/*.sh .env` 后重试 |
|
| `set: pipefail: invalid option` | Windows 换行符问题,执行:`sed -i 's/\r$//' scripts/*.sh .env` 后重试 |
|
||||||
| `dig` 未返回正确 IP | 等待 DNS 生效或检查解析记录 |
|
| `dig` 未返回正确 IP | 等待 DNS 生效或检查解析记录 |
|
||||||
| acme 证书失败 | 确认 80 端口可访问:`curl -I http://66.hyf2.cc` |
|
| acme 证书失败 | 确认 80 端口可访问:`curl http://66.hyf2.cc/.well-known/acme-challenge/test`;检查 nginx acme 站点是否启用 |
|
||||||
| sing-box 启动失败 | `journalctl -u sing-box -n 50` 查看报错 |
|
| sing-box 启动失败 | `journalctl -u sing-box -n 50` 查看报错 |
|
||||||
| 客户端连不上 | 核对 `share-links.txt` 与 `.env` 中密钥一致 |
|
| 客户端连不上 | 核对 `share-links.txt` 与 `.env` 中密钥一致 |
|
||||||
|
|
||||||
更多见 [troubleshooting.md](troubleshooting.md)。
|
更多见 [troubleshooting.md](troubleshooting.md)。
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## 更新仓库(本地开发机)
|
## 更新仓库(本地开发机)
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
cd 节点
|
cd 节点
|
||||||
git add .
|
git add .
|
||||||
git commit -m "update config"
|
git commit -m "update config"
|
||||||
git push origin main
|
git push origin main
|
||||||
```
|
```
|
||||||
|
|
||||||
VPS 上 `git pull` 后重新运行 `bash scripts/install.sh` 即可同步。
|
VPS 上 `git pull` 后重新运行 `bash scripts/install.sh` 即可同步。
|
||||||
|
|||||||
+8
-1
@@ -63,6 +63,7 @@ ufw --force reset
|
|||||||
ufw default deny incoming
|
ufw default deny incoming
|
||||||
ufw default allow outgoing
|
ufw default allow outgoing
|
||||||
ufw allow 22/tcp comment 'SSH'
|
ufw allow 22/tcp comment 'SSH'
|
||||||
|
ufw allow 80/tcp comment 'HTTP-ACME'
|
||||||
ufw allow 443/tcp comment 'Reality'
|
ufw allow 443/tcp comment 'Reality'
|
||||||
ufw allow 8443/udp comment 'Hysteria2'
|
ufw allow 8443/udp comment 'Hysteria2'
|
||||||
ufw --force enable
|
ufw --force enable
|
||||||
@@ -73,6 +74,12 @@ cp "$ROOT_DIR/server/nginx/index.html" /var/www/fallback/
|
|||||||
cp "$ROOT_DIR/server/nginx/fallback.conf" /etc/nginx/sites-available/fallback
|
cp "$ROOT_DIR/server/nginx/fallback.conf" /etc/nginx/sites-available/fallback
|
||||||
ln -sf /etc/nginx/sites-available/fallback /etc/nginx/sites-enabled/fallback
|
ln -sf /etc/nginx/sites-available/fallback /etc/nginx/sites-enabled/fallback
|
||||||
rm -f /etc/nginx/sites-enabled/default
|
rm -f /etc/nginx/sites-enabled/default
|
||||||
|
|
||||||
|
log "部署 Nginx ACME 验证站点 (80) ..."
|
||||||
|
mkdir -p /var/www/acme
|
||||||
|
sed "s|__DOMAIN__|${DOMAIN}|g" "$ROOT_DIR/server/nginx/acme.conf.template" \
|
||||||
|
> /etc/nginx/sites-available/acme
|
||||||
|
ln -sf /etc/nginx/sites-available/acme /etc/nginx/sites-enabled/acme
|
||||||
nginx -t && systemctl enable nginx && systemctl restart nginx
|
nginx -t && systemctl enable nginx && systemctl restart nginx
|
||||||
|
|
||||||
log "申请 TLS 证书 (Let's Encrypt) ..."
|
log "申请 TLS 证书 (Let's Encrypt) ..."
|
||||||
@@ -90,7 +97,7 @@ if [[ "$CURRENT_IP" != "$VPS_IP" ]]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
/root/.acme.sh/acme.sh --set-default-ca --server letsencrypt
|
/root/.acme.sh/acme.sh --set-default-ca --server letsencrypt
|
||||||
/root/.acme.sh/acme.sh --issue -d "$DOMAIN" --nginx --force
|
/root/.acme.sh/acme.sh --issue -d "$DOMAIN" -w /var/www/acme --force
|
||||||
/root/.acme.sh/acme.sh --install-cert -d "$DOMAIN" \
|
/root/.acme.sh/acme.sh --install-cert -d "$DOMAIN" \
|
||||||
--key-file /etc/sing-box/certs/privkey.pem \
|
--key-file /etc/sing-box/certs/privkey.pem \
|
||||||
--fullchain-file /etc/sing-box/certs/fullchain.pem \
|
--fullchain-file /etc/sing-box/certs/fullchain.pem \
|
||||||
|
|||||||
@@ -0,0 +1,17 @@
|
|||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
server_name __DOMAIN__;
|
||||||
|
|
||||||
|
root /var/www/acme;
|
||||||
|
|
||||||
|
location /.well-known/acme-challenge/ {
|
||||||
|
default_type "text/plain";
|
||||||
|
try_files $uri =404;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 200 'ok';
|
||||||
|
add_header Content-Type text/plain;
|
||||||
|
}
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user