feat: proxy admin panel via nginx port 80 to avoid exposing 8444
Route the panel through a secret subpath on port 80, remove the separate 8444 listener, and document common troubleshooting in docs. Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
+39
-11
@@ -61,6 +61,31 @@ fi
|
||||
: "${REALITY_SHORT_ID:?}"
|
||||
: "${PANEL_PASSWORD:?}"
|
||||
|
||||
normalize_panel_path() {
|
||||
local p="${1:-}"
|
||||
p="${p#/}"
|
||||
p="${p%/}"
|
||||
echo "$p"
|
||||
}
|
||||
|
||||
PANEL_PATH="$(normalize_panel_path "${PANEL_PATH:-}")"
|
||||
if [[ -z "$PANEL_PATH" ]]; then
|
||||
PANEL_PATH="jiedian-$(openssl rand -hex 4)"
|
||||
if grep -q "^PANEL_PATH=" "$ENV_FILE" 2>/dev/null; then
|
||||
sed -i "s|^PANEL_PATH=.*|PANEL_PATH=${PANEL_PATH}|" "$ENV_FILE"
|
||||
else
|
||||
echo "PANEL_PATH=${PANEL_PATH}" >> "$ENV_FILE"
|
||||
fi
|
||||
fi
|
||||
PANEL_LOCATION="/${PANEL_PATH}/"
|
||||
PANEL_PREFIX="/${PANEL_PATH}"
|
||||
|
||||
PANEL_ALLOW_BLOCK=""
|
||||
if [[ -n "${PANEL_ALLOW_IP:-}" ]]; then
|
||||
PANEL_ALLOW_BLOCK=" allow ${PANEL_ALLOW_IP};
|
||||
deny all;"
|
||||
fi
|
||||
|
||||
export JIEDIAN_ROOT="$ROOT_DIR"
|
||||
|
||||
ARCH="$(uname -m)"
|
||||
@@ -90,10 +115,9 @@ ufw --force reset
|
||||
ufw default deny incoming
|
||||
ufw default allow outgoing
|
||||
ufw allow 22/tcp comment 'SSH'
|
||||
ufw allow 80/tcp comment 'HTTP-ACME'
|
||||
ufw allow 80/tcp comment 'HTTP-ACME-Panel'
|
||||
ufw allow 443/tcp comment 'Reality'
|
||||
ufw allow 8443/udp comment 'Hysteria2'
|
||||
ufw allow 8444/tcp comment 'Panel-HTTPS'
|
||||
ufw --force enable
|
||||
|
||||
log "部署 Nginx fallback 站点 ..."
|
||||
@@ -103,11 +127,16 @@ cp "$ROOT_DIR/server/nginx/fallback.conf" /etc/nginx/sites-available/fallback
|
||||
ln -sf /etc/nginx/sites-available/fallback /etc/nginx/sites-enabled/fallback
|
||||
rm -f /etc/nginx/sites-enabled/default
|
||||
|
||||
log "部署 Nginx ACME 验证站点 (80) ..."
|
||||
log "部署 Nginx ACME + 管理面板反向代理 (80) ..."
|
||||
mkdir -p /var/www/acme
|
||||
sed "s|__DOMAIN__|${DOMAIN}|g" "$ROOT_DIR/server/nginx/acme.conf.template" \
|
||||
sed -e "s|__DOMAIN__|${DOMAIN}|g" \
|
||||
-e "s|__PANEL_LOCATION__|${PANEL_LOCATION}|g" \
|
||||
-e "s|__PANEL_PREFIX__|${PANEL_PREFIX}|g" \
|
||||
-e "s|__PANEL_ALLOW__|${PANEL_ALLOW_BLOCK}|g" \
|
||||
"$ROOT_DIR/server/nginx/acme.conf.template" \
|
||||
> /etc/nginx/sites-available/acme
|
||||
ln -sf /etc/nginx/sites-available/acme /etc/nginx/sites-enabled/acme
|
||||
nginx -t && systemctl enable nginx && systemctl restart nginx
|
||||
|
||||
log "申请 TLS 证书 (Let's Encrypt) ..."
|
||||
mkdir -p /etc/sing-box/certs
|
||||
@@ -132,11 +161,8 @@ log "安装 TLS 证书到 sing-box ..."
|
||||
--key-file /etc/sing-box/certs/privkey.pem \
|
||||
--fullchain-file /etc/sing-box/certs/fullchain.pem
|
||||
|
||||
log "部署管理面板 Nginx (8444) ..."
|
||||
sed "s|__DOMAIN__|${DOMAIN}|g" "$ROOT_DIR/server/nginx/panel.conf.template" \
|
||||
> /etc/nginx/sites-available/panel
|
||||
ln -sf /etc/nginx/sites-available/panel /etc/nginx/sites-enabled/panel
|
||||
nginx -t && systemctl enable nginx && systemctl restart nginx
|
||||
rm -f /etc/nginx/sites-enabled/panel /etc/nginx/sites-available/panel
|
||||
nginx -t && systemctl reload nginx
|
||||
|
||||
log "安装 Python 面板依赖 ..."
|
||||
python3 -m venv "$ROOT_DIR/panel/venv"
|
||||
@@ -179,6 +205,7 @@ After=network.target sing-box.service
|
||||
Type=simple
|
||||
WorkingDirectory=${ROOT_DIR}/panel
|
||||
Environment=JIEDIAN_ROOT=${ROOT_DIR}
|
||||
Environment=PANEL_PATH=${PANEL_PATH}
|
||||
ExecStart=${ROOT_DIR}/panel/venv/bin/python app.py
|
||||
Restart=on-failure
|
||||
RestartSec=5
|
||||
@@ -194,7 +221,7 @@ log "注册证书续期 reload 命令 ..."
|
||||
/root/.acme.sh/acme.sh --install-cert -d "$DOMAIN" \
|
||||
--key-file /etc/sing-box/certs/privkey.pem \
|
||||
--fullchain-file /etc/sing-box/certs/fullchain.pem \
|
||||
--reloadcmd "systemctl restart sing-box" \
|
||||
--reloadcmd "systemctl restart sing-box && systemctl reload nginx" \
|
||||
|| log "acme reloadcmd 注册失败,可忽略"
|
||||
|
||||
systemctl restart sing-box jiedian-panel
|
||||
@@ -202,7 +229,8 @@ systemctl restart sing-box jiedian-panel
|
||||
log "部署完成!"
|
||||
echo ""
|
||||
echo "=========================================="
|
||||
echo " 管理面板: https://${DOMAIN}:8444"
|
||||
echo " 管理面板: http://${DOMAIN}${PANEL_LOCATION}"
|
||||
echo " 面板路径: ${PANEL_PATH} (见 .env 中 PANEL_PATH)"
|
||||
echo " 用户名: ${PANEL_USERNAME}"
|
||||
echo " 密码: ${PANEL_PASSWORD}"
|
||||
echo "=========================================="
|
||||
|
||||
Reference in New Issue
Block a user