headscale使用nginx代理

发表于 阅读次数: 本文字数: 4.8k 阅读时长 ≈ 9 分钟

当我们部署了 headscale 以及 headscale UI等程序,需要对 headscale 及UI 进行代理。本文使用nginx进行代理。

headscale ui相关的开源程序,推荐使用 headscale-admin,界面美观,功能较丰富,使用较简单,只要启动容器即可。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
user  root;
worker_processes auto;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    access_log /var/log/nginx/nginx-access.log;
    error_log /var/log/nginx/nginx-error.log;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    

    sendfile        on;

    keepalive_timeout  65;

    gzip on;
    gzip_static on;

    proxy_buffer_size 128k;
    proxy_buffers 32 128k;
    proxy_busy_buffers_size 128k;

    fastcgi_buffers 8 128k;
    send_timeout 60;

  server {
        listen       8088 ssl;
        server_name  xxx.ownding.xyz;
        ssl_certificate      /home/headscale/cert/xxx.ownding.xyz.crt;
        ssl_certificate_key  /home/headscale/cert/xxx.ownding.xyz.key;
        ssl_session_cache shared:le_nginx_SSL:1m;
        ssl_session_timeout 1440m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
        
        # add_header X-Frame-Options "SAMEORIGIN";
        # add_header X-XSS-Protection "1; mode=block";
        # add_header X-Content-Type-Options "nosniff";
        
        location / {
            proxy_pass http://172.26.0.93:8080;  # Headscale的HTTP端口
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $host;
            proxy_redirect http:// https://;
            proxy_buffering off;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
            add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;

            # CORS-Handling 
            if ($request_method = OPTIONS) {
                add_header 'Access-Control-Allow-Origin' '*' always;
                add_header 'Access-Control-Allow-Methods' 'GET, POST, DELETE, OPTIONS' always;
                add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, User-Agent' always;
                add_header 'Access-Control-Expose-Headers' 'Content-Length, Content-Range' always;
                add_header 'Content-Length' 0 always;
                add_header 'Content-Type' 'text/plain; charset=utf-8' always;
                return 204;
            }

            # CORS-Header 
            add_header 'Access-Control-Allow-Origin' '*' always;
            add_header 'Access-Control-Allow-Methods' 'GET, POST, DELETE, OPTIONS' always;
            add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, User-Agent' always;
            add_header 'Access-Control-Expose-Headers' 'Content-Length, Content-Range' always;
        }

        location /admin {
            proxy_pass http://172.26.0.93:8443;  # Headscale admin的HTTP端口
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $host;
            proxy_redirect http:// https://;
            proxy_buffering off;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
            add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;

            # CORS-Handling
            if ($request_method = OPTIONS) {
                add_header 'Access-Control-Allow-Origin' '*' always;
                add_header 'Access-Control-Allow-Methods' 'GET, POST, DELETE, OPTIONS' always;
                add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, User-Agent' always;
                add_header 'Access-Control-Expose-Headers' 'Content-Length, Content-Range' always;
                add_header 'Content-Length' 0 always;
                add_header 'Content-Type' 'text/plain; charset=utf-8' always;
                return 204;
            }

            # CORS-Header
            add_header 'Access-Control-Allow-Origin' '*' always;
            add_header 'Access-Control-Allow-Methods' 'GET, POST, DELETE, OPTIONS' always;
            add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, User-Agent' always;
            add_header 'Access-Control-Expose-Headers' 'Content-Length, Content-Range' always;
        }

        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }
}

以上配置中需要注意 add_header 'Access-Control-Allow-Origin' '*' always; , 将 * 替换为你自己服务器的域名。

如果你想部署 headscale-admin,以及不希望api暴露,可以在 nginx 中删除 /admin 的配置,以及 /cros 配置即可。