一个简单的IPv6_DDNS和域名反代搭建

纯白色的背带

  使用docker nginx给飞牛搭建一个反向代理，这样不论是飞牛本身还是其中运行的docker，乃至局域网内的其他服务，都可以利用飞牛自带的DDNS IPv6实现从外网访问，只需要在docker内运行一个定制的带有ACME脚本的Nginx镜像，就可以实现域名访问和自动证书签发。
  本篇文章使用阿里云域名，经过备案可正常解析访问，需在阿里云创建带有AliyunDNSFullAccess权限的子账号，并生成授权Key和密钥，用于在签发证书时验证DNS。
  备注写在前面：

  1. 以下所有/home/nginx/目录，可以自行指定为其他目录，保持一致即可
  2. 示例域名nas.xxx.com需改为自己的根域名或二级域名等，

一：设置飞牛DDNS

此处应该有很多教程了，不多赘述，需要光猫路由器支持IPv6，并且飞牛已获取IPv6地址

二：打通IPv6外网访问

需要关闭光猫的IPv6防火墙，并在路由器上添加出站规则

至此，使用支持IPv6的客户端从外网访问 http://[IPv6地址]:5666 ，正常情况下就已经可以访问到了（浏览器访问IPv6需要使用“[]”包括地址）

三：配置端口和Docker容器

1.释放http(s)端口
为了在域名上隐藏端口，我们需要让Nginx监听飞牛的80,443端口，并将在此端口上收到的请求代理转发到5667端口。所以首先要把端口释放出来，在飞牛的[端口设置]里，取消勾选该选项

2.准备Nginx运行必须的配置文件
使用SSH运行以下命令，生成nginx配置文件

sudo docker run --name tmp-nginx-container -d nginx
sudo docker cp tmp-nginx-container:/etc/nginx/nginx.conf  /home/nginx/nginx.conf
sudo docker rm -f tmp-nginx-container

3.创建Nginx容器
新建Docker Compose并运行，此镜像为打包的带acme的nginx官方镜像，项目地址

services:
  nginx:
    image: ningjx/nginx_acme:latest
    container_name: nginx
    restart: always
    networks:
      default: 
    ports:
      - "80:80"
      - "443:443"
    extra_hosts:
      - "host.docker.internal:host-gateway"
    environment:
      - Ali_Key=xx     #阿里云账户Key
      - Ali_Secret=xx  #阿里云账户密钥
      - Cert_Home=/etc/nginx/ssl
      - Email=xxx@xxx.com #随便填
    volumes:
      - /home/nginx/nginx.conf:/etc/nginx/nginx.conf
      - /home/nginx/conf.d:/etc/nginx/conf.d
      - /home/nginx/logs:/var/log/nginx
      - /home/nginx/html:/etc/nginx/html
      - /home/nginx/ssl:/etc/nginx/ssl
      - /home/nginx/crontabs:/var/spool/cron/crontabs
      - /home/nginx/acme:/root/.acme.sh
networks:
  default:
    enable_ipv6: true

在/home/nginx/conf.d目录下新建代理配置base.conf（文件名随意）

server {
    # 监听 IPv4/IPv6 的 80 端口（HTTP）
    listen 80;
    listen [::]:80;
    # 强制跳转到 HTTPS
    return 301 https://$host$request_uri;
}
server {
    # 监听 IPv4/IPv6 的 443 端口（HTTPS）
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name nas.xxx.com;
    # 指定 SSL 证书路径（ECC 证书）
    ssl_certificate /etc/nginx/ssl/nas.xxx.com_ecc/fullchain.cer;
    ssl_certificate_key /etc/nginx/ssl/nas.xxx.com_ecc/nas.xxx.com.key;
    # 启用 TLS 1.2/1.3 和优化加密套件
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers on;
    # 反向代理配置
    location / {
        proxy_pass https://192.168.50.100:5667;
        # 基础代理头
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        # WebSocket 支持
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        # 超时设置（避免 WebSocket 连接断开）
        proxy_read_timeout 86400s;  # 长连接超时
        proxy_send_timeout 86400s;
    }
    # 启用 HSTS（严格传输安全）
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
}

四：启用自动证书签发
在Docker容器页面，打开nginx容器的终端，输入

acme.sh --issue --dns dns_ali -d nas.xxx.com --reloadcmd 'service nginx force-reload'

即可签发证书，后续会自动续期

至此，即可通过[http://[IPv6地址]:5666](https://nas.xxx.com访问飞牛
当需要反向代理其他服务时，只需在base.conf加入新的server配置，指定新的证书和server_name名即可

纯白色的背带

优化配置文件

1. nginx.conf

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /run/nginx.pid;
worker_rlimit_nofile 65535;
events {
    worker_connections 4096;
    use epoll;
    multi_accept on;
}
http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                   '$status $body_bytes_sent "$http_referer" '
                   '"$http_user_agent" "$http_x_forwarded_for"';
    access_log /var/log/nginx/access.log main buffer=32k flush=5s;
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 300;
    keepalive_requests 1000;
    # 客户端请求体限制 - 解决上传大文件问题
    client_max_body_size 0;
    client_body_buffer_size 128k;
    client_body_timeout 3600s;
  
    # 客户端请求体临时文件路径
    client_body_temp_path /var/cache/nginx/client_temp;
  
    # 客户端请求头设置
    client_header_buffer_size 4k;
    large_client_header_buffers 8 16k;
    client_header_timeout 300s;
    # Gzip压缩
    gzip on;
    gzip_vary on;
    gzip_min_length 1024;
    gzip_comp_level 6;
    gzip_types text/plain text/css text/xml text/javascript 
               application/javascript application/xml+rss application/json 
               application/octet-stream application/x-font-ttf font/opentype;
    # ========== 代理全局优化配置 ==========
    proxy_buffering off;
    proxy_buffer_size 32k;
    proxy_buffers 256 32k;
    proxy_busy_buffers_size 512k;
  
    # 代理临时文件设置
    proxy_temp_path /var/cache/nginx/proxy_temp;
    proxy_temp_file_write_size 512k;
    proxy_max_temp_file_size 0;
  
    # 代理超时设置
    proxy_connect_timeout 300s;
    proxy_send_timeout 3600s;
    proxy_read_timeout 86400s;
  
    # 其他代理优化
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_redirect off;
    proxy_ignore_client_abort off;
    # 支持分块传输编码
    proxy_force_ranges on;
    proxy_set_header Range $http_range;
    proxy_set_header If-Range $http_if_range;
  
    # WebSocket支持
    map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
    }
  
    include /etc/nginx/conf.d/*.conf;
}

2. base.conf

# HTTP重定向到HTTPS
server {
    listen 80;
    listen [::]:80;
    server_name nas.xxx.com;
    return 301 https://$host$request_uri;
}
# 主HTTPS服务器
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name nas.xxx.com;
    # 启用HTTP/2
    http2 on;
  
    # SSL证书路径
    ssl_certificate /etc/nginx/ssl/nas.xxx.com_ecc/fullchain.cer;
    ssl_certificate_key /etc/nginx/ssl/nas.xxx.com_ecc/nas.xxx.com.key;
  
    # SSL优化配置
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_session_tickets off;
  
    # HSTS头
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
  
    # 安全头
    add_header X-Content-Type-Options nosniff always;
    add_header X-Frame-Options SAMEORIGIN always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
  
    # ========== 反向代理配置 ==========
    location / {
        proxy_pass https://host.docker.internal:5667;
    
        # 基础代理头
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Port $server_port;
    
        # WebSocket支持
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    
        # 超时设置 - 针对NAS长连接优化
        proxy_connect_timeout 300s;
        proxy_send_timeout 3600s;
        proxy_read_timeout 86400s;
    
        # 缓冲区优化 - 针对大文件传输
        proxy_buffering off;
        proxy_buffer_size 32k;
        proxy_buffers 512 32k;      # 16MB内存缓冲区
        proxy_busy_buffers_size 1m;
    
        # 禁用临时文件或设置较大值
        proxy_max_temp_file_size 0;
        #proxy_max_temp_file_size 10g;
    
        # 上传优化
        proxy_request_buffering on;
        proxy_http_version 1.1;
    
        # 支持大文件上传
        client_max_body_size 0;
        client_body_buffer_size 512k;
        client_body_timeout 86400s;
    
        # 支持断点续传
        proxy_force_ranges on;
    
        # 优化上传速度
        proxy_set_header Expect "";
    
        # 禁用客户端中止代理连接
        proxy_ignore_client_abort off;
    
        # 禁用缓存
        proxy_cache off;
        proxy_no_cache 1;
        proxy_cache_bypass 1;
    }
}