feat: proxy admin panel via nginx port 80 to avoid exposing 8444
Route the panel through a secret subpath on port 80, remove the separate 8444 listener, and document common troubleshooting in docs. Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
+11
-8
@@ -6,7 +6,7 @@
|
||||
|------|-----|
|
||||
| VPS IP | `47.76.87.111` |
|
||||
| 域名 | `66.hyf2.cc` |
|
||||
| 管理面板 | `https://66.hyf2.cc:8444` |
|
||||
| 管理面板 | `http://66.hyf2.cc/<PANEL_PATH>/` |
|
||||
| 部署目录 | `/opt/jiedian` |
|
||||
| 系统 | Ubuntu 22.04 / 24.04 |
|
||||
|
||||
@@ -28,7 +28,7 @@ dig +short A 66.hyf2.cc
|
||||
|
||||
### 2. 阿里云安全组
|
||||
|
||||
放行:`22`、`80`、`443/TCP`、`8443/UDP`、`8444/TCP`
|
||||
放行:`22`、`80`、`443/TCP`、`8443/UDP`(**无需 8444**)
|
||||
|
||||
---
|
||||
|
||||
@@ -44,7 +44,8 @@ bash scripts/install.sh
|
||||
安装结束会输出:
|
||||
|
||||
```
|
||||
管理面板: https://66.hyf2.cc:8444
|
||||
管理面板: http://66.hyf2.cc/jiedian-xxxx/
|
||||
面板路径: jiedian-xxxx (见 .env 中 PANEL_PATH)
|
||||
用户名: admin
|
||||
密码: xxxxx
|
||||
```
|
||||
@@ -72,11 +73,11 @@ bash scripts/install.sh
|
||||
## 安装脚本做了什么
|
||||
|
||||
1. 安装 sing-box、nginx、Python 面板依赖
|
||||
2. 防火墙放行 22/80/443/8443/8444
|
||||
2. 防火墙放行 22/80/443/8443(不暴露 8444)
|
||||
3. acme.sh 申请 `66.hyf2.cc` 证书
|
||||
4. 初始化 SQLite 节点库 + 默认管理员
|
||||
5. 生成 sing-box 配置并启动服务
|
||||
6. Nginx 8444 端口提供 HTTPS 管理面板
|
||||
6. Nginx 80 端口子路径反向代理管理面板
|
||||
|
||||
---
|
||||
|
||||
@@ -95,9 +96,10 @@ bash scripts/install.sh
|
||||
|
||||
```bash
|
||||
systemctl status sing-box jiedian-panel
|
||||
ss -tlnp | grep -E '443|8444'
|
||||
ss -tlnp | grep -E '80|443|5080'
|
||||
ss -ulnp | grep 8443
|
||||
curl -k -I https://66.hyf2.cc:8444/login
|
||||
PANEL_PATH=$(grep ^PANEL_PATH= /opt/jiedian/.env | cut -d= -f2)
|
||||
curl -I "http://66.hyf2.cc/${PANEL_PATH}/login"
|
||||
```
|
||||
|
||||
---
|
||||
@@ -106,9 +108,10 @@ curl -k -I https://66.hyf2.cc:8444/login
|
||||
|
||||
| 问题 | 处理 |
|
||||
|------|------|
|
||||
| 面板 404 | 确认 URL 含完整 `PANEL_PATH`,见 `grep PANEL_PATH .env` |
|
||||
| apt 锁被占用 | 等待自动更新结束,或 `bash scripts/install.sh` 会自动等待 |
|
||||
| sing-box 443 被占用 | `ss -tlnp \| grep 443`,停止占用进程后重装 |
|
||||
| 忘记面板密码 | `grep PANEL_PASSWORD /opt/jiedian/.env` 或重新 `generate-keys.sh` |
|
||||
| 忘记面板密码/路径 | `grep PANEL_ /opt/jiedian/.env` 或重新 `generate-keys.sh` |
|
||||
| SSH 主机密钥变更 | 重装系统后本地执行 `ssh-keygen -R 47.76.87.111` |
|
||||
|
||||
更多见 [troubleshooting.md](troubleshooting.md)。
|
||||
|
||||
@@ -13,7 +13,9 @@
|
||||
|
||||
- `443/TCP` — VLESS + Reality(主力)
|
||||
- `8443/UDP` — Hysteria2(备用)
|
||||
- `80/TCP` — ACME 验证 + 管理面板 Nginx 反向代理
|
||||
- `127.0.0.1:8080` — Nginx 伪装静态页(Reality fallback 场景)
|
||||
- `127.0.0.1:5080` — Flask 面板后端(不对外暴露)
|
||||
|
||||
## 单协议简化
|
||||
|
||||
|
||||
+119
-5
@@ -6,19 +6,85 @@
|
||||
# sing-box 是否运行
|
||||
systemctl is-active sing-box
|
||||
|
||||
# 管理面板是否运行
|
||||
systemctl is-active jiedian-panel
|
||||
|
||||
# 配置语法
|
||||
sing-box check -c /etc/sing-box/config.json
|
||||
|
||||
# 端口监听
|
||||
ss -tlnp | grep 443 # Reality TCP
|
||||
ss -ulnp | grep 8443 # Hysteria2 UDP
|
||||
ss -tlnp | grep 443 # Reality TCP
|
||||
ss -tlnp | grep 5080 # 面板后端(仅本机)
|
||||
ss -tlnp | grep :80 # Nginx(ACME + 面板反向代理)
|
||||
ss -ulnp | grep 8443 # Hysteria2 UDP
|
||||
|
||||
# Nginx fallback
|
||||
curl -s http://127.0.0.1:8080
|
||||
```
|
||||
|
||||
## 管理面板访问
|
||||
|
||||
面板通过 **Nginx 80 端口反向代理**,不再单独暴露 8444。
|
||||
|
||||
```bash
|
||||
# 查看面板路径(安装时自动生成或 .env 中配置)
|
||||
grep PANEL_PATH /opt/jiedian/.env
|
||||
|
||||
# 示例:PANEL_PATH=jiedian-a1b2c3d4
|
||||
# 访问地址:http://66.hyf2.cc/jiedian-a1b2c3d4/
|
||||
curl -I "http://66.hyf2.cc/$(grep ^PANEL_PATH= /opt/jiedian/.env | cut -d= -f2)/login"
|
||||
```
|
||||
|
||||
> 443 端口已被 sing-box Reality 占用,面板走 80 端口子路径。请妥善保管 `PANEL_PATH`,相当于隐藏入口。
|
||||
|
||||
---
|
||||
|
||||
## 常见问题
|
||||
|
||||
### 面板打不开 / 404
|
||||
|
||||
1. **路径不对**:必须用完整路径,末尾带 `/`,例如 `http://域名/jiedian-xxxx/login`
|
||||
2. **Nginx 未加载配置**:
|
||||
```bash
|
||||
nginx -t && systemctl reload nginx
|
||||
cat /etc/nginx/sites-available/acme | grep -A5 jiedian
|
||||
```
|
||||
3. **面板进程未运行**:
|
||||
```bash
|
||||
systemctl status jiedian-panel
|
||||
journalctl -u jiedian-panel -n 30 --no-pager
|
||||
curl -I http://127.0.0.1:5080/login
|
||||
```
|
||||
4. **阿里云安全组**:只需放行 `80/TCP`,**无需**再放行 8444
|
||||
|
||||
### 面板登录后跳回登录页 / 样式丢失
|
||||
|
||||
通常是子路径反向代理头未生效,检查 Nginx 是否包含:
|
||||
|
||||
```nginx
|
||||
proxy_set_header X-Forwarded-Prefix /你的PANEL_PATH;
|
||||
```
|
||||
|
||||
修改后 `systemctl reload nginx`,并确认 `.env` 中 `PANEL_PATH` 与 Nginx 一致。
|
||||
|
||||
### 设置了 PANEL_ALLOW_IP 后无法访问
|
||||
|
||||
`.env` 中 `PANEL_ALLOW_IP` 会限制仅该 IP 可访问面板。本机公网 IP 变更后需更新并重装 Nginx 配置:
|
||||
|
||||
```bash
|
||||
# 编辑 .env 后重新渲染 nginx
|
||||
cd /opt/jiedian
|
||||
bash scripts/install.sh # 或手动 sed acme 配置后 reload nginx
|
||||
```
|
||||
|
||||
### 忘记面板密码或路径
|
||||
|
||||
```bash
|
||||
grep -E 'PANEL_(USERNAME|PASSWORD|PATH)' /opt/jiedian/.env
|
||||
# 重置密码与 Reality 密钥
|
||||
bash scripts/generate-keys.sh
|
||||
```
|
||||
|
||||
### acme.sh 证书申请失败
|
||||
|
||||
```bash
|
||||
@@ -29,7 +95,7 @@ dig +short A your.domain.com
|
||||
ss -tlnp | grep :80
|
||||
|
||||
# 手动重试
|
||||
/root/.acme.sh/acme.sh --issue -d your.domain.com --nginx --force
|
||||
/root/.acme.sh/acme.sh --issue -d your.domain.com -w /var/www/acme --force
|
||||
```
|
||||
|
||||
### sing-box 无法启动
|
||||
@@ -40,6 +106,11 @@ journalctl -u sing-box -n 50 --no-pager
|
||||
|
||||
常见原因:证书路径错误、JSON 语法错误、443 被占用。
|
||||
|
||||
```bash
|
||||
ss -tlnp | grep :443
|
||||
sing-box check -c /etc/sing-box/config.json
|
||||
```
|
||||
|
||||
### 客户端能连但速度慢
|
||||
|
||||
- 换 Hysteria2 节点(UDP/QUIC 抗丢包)
|
||||
@@ -52,6 +123,35 @@ journalctl -u sing-box -n 50 --no-pager
|
||||
2. 修改 `.env` 中 `REALITY_SERVER_NAME` 为其他大站(如 `www.apple.com`)
|
||||
3. 重新运行 `install.sh` 或手动更新 `/etc/sing-box/config.json` 并 restart
|
||||
|
||||
### apt 锁被占用
|
||||
|
||||
安装脚本会自动等待最多 10 分钟。若超时:
|
||||
|
||||
```bash
|
||||
# 查看占用进程
|
||||
fuser /var/lib/dpkg/lock-frontend
|
||||
# 等待 cloud-init / unattended-upgrades 结束后再执行
|
||||
bash scripts/install.sh
|
||||
```
|
||||
|
||||
### SSH 主机密钥变更
|
||||
|
||||
VPS 重装系统后,本地执行:
|
||||
|
||||
```bash
|
||||
ssh-keygen -R 你的VPS_IP
|
||||
```
|
||||
|
||||
### 卸载后重装
|
||||
|
||||
```bash
|
||||
cd /opt/jiedian
|
||||
git pull
|
||||
bash scripts/uninstall.sh
|
||||
bash scripts/generate-keys.sh # 可选:重置密钥与面板密码
|
||||
bash scripts/install.sh
|
||||
```
|
||||
|
||||
### 改用 Xray 替代 sing-box(可选)
|
||||
|
||||
若更熟悉 Xray,可使用 `server/xray-server.json.template`:
|
||||
@@ -66,10 +166,24 @@ sed -e "s|\${UUID}|...|g" ... server/xray-server.json.template > /usr/local/etc/
|
||||
systemctl restart xray
|
||||
```
|
||||
|
||||
Hysteria2 仍需单独部署(或使用 sing-box 仅跑 Hy2 inbound)。
|
||||
Hysteria2 仍需单独部署(或使用 sing-box 仅跑 Hy2 inbound)。
|
||||
|
||||
---
|
||||
|
||||
## 防火墙与安全组对照
|
||||
|
||||
| 端口 | 协议 | 用途 | 是否必须放行 |
|
||||
|------|------|------|-------------|
|
||||
| 22 | TCP | SSH | 是 |
|
||||
| 80 | TCP | ACME 验证 + **管理面板** | 是 |
|
||||
| 443 | TCP | VLESS + Reality | 是 |
|
||||
| 8443 | UDP | Hysteria2 | 是 |
|
||||
| ~~8444~~ | ~~TCP~~ | ~~旧版面板的独立 HTTPS~~ | **已废弃,无需放行** |
|
||||
|
||||
## 安全建议
|
||||
|
||||
- 使用随机 `PANEL_PATH`,不要公开分享面板地址
|
||||
- 可选在 `.env` 设置 `PANEL_ALLOW_IP=你的公网IP` 限制访问来源
|
||||
- SSH 改用密钥登录,禁用密码:`PermitRootLogin prohibit-password`
|
||||
- 可选修改 SSH 端口,ufw 放行新端口后再删 22
|
||||
- 不要将 `.env` 或 `share-links.txt` 上传到公开仓库
|
||||
- 不要将 `.env` 或节点分享链接上传到公开仓库
|
||||
|
||||
Reference in New Issue
Block a user