【笔记】openwrt - nginx编译、配置反向代理（https下netdata不显示）

骆言

已于 2022-09-20 11:43:27 修改

阅读量7.6k

点赞数 2

分类专栏： OpenWRT ❄️ nginx 👽 文章标签： openwrt nginx 路由 netdata https

于 2020-07-12 13:24:26 首次发布

本文链接：https://blog.csdn.net/LawssssCat/article/details/107298336

版权

OpenWRT ❄️ 同时被 2 个专栏收录

34 篇文章 76 订阅

订阅专栏

nginx 👽

8 篇文章 0 订阅

订阅专栏

文章目录

# 完整交叉编译

参考：https://servertesa.wordpress.com/2011/05/22/how-to-compile-and-configure-nginx-on-openwrt/

前提：编译了一次openwrt的环境
（编译教程：【速记】openwrt - 编译、刷固件https://lawsssscat.blog.csdn.net/article/details/103744761）

Note, nginx is not on openwrt base package. So you must download additional package (feeds).

./scripts/feeds update -a
./scripts/feeds install -a
make menuconfig

On ‘make menuconfig’ select Network->nginx
Compiling nginx is very easy, thanks to openwrt developers!

 make menuconfig

choose Network->Nginx

make ./package/feeds/packages/nginx/compile

The nginx package will be placed at bin/[board_arch]/packages/nginx_0.7.67-3_ar71xx.ipk . In tplink tl wr1043nd : bin/ar71xx/packages/nginx_0.7.67-3_ar71xx.ipk

Configure Nginx

create nginx root directory

mkdir /www-nginx/default -p

Edit /etc/nginx/nginx.conf:

change the user from nobody to root
change nginx root directory to /www-nginx/default
this is the diff file

--- nginx.conf.ori Mon Mar 14 12:21:24 2011
+++ nginx.conf Tue Apr  6 08:53:37 2010
@@ -1,5 +1,5 @@
 
-#user  nobody;
+user  root;
 worker_processes  1;
 
 #error_log  logs/error.log;
@@ -41,7 +41,7 @@
         #access_log  logs/host.access.log  main;
 
         location / {
-            root   html;
+            root   /www-nginx/default;
             index  index.html index.htm;
         }

Testing the configuration
create simple html file on /www-nginx/default/index.html.
Stop openwrt default web server and start nginx

/etc/init.d/uhttpd stop
/etc/init.d/nginx star

# 完整交叉编译ssl

# OpenWrt/LEDE source
git clone https://github.com/openwrt/openwrt.git
cd openwrt
git checkout v18.06.0

# Make/Build OpenWRT
make menuconfig # Target System (Marvell Armada 37x/38x/XP) | Target Profile (Linksys WRT1900ACv2 (Cobra))
make V=s

# Make/Build nginx with SSL
./scripts/feeds update
./scripts/feeds install nginx
make menuconfig # Network > Web Servers/Proxies > nginx (M) > nginx > Configuration > Enable SSL Module (Y)
make -j5

# Copy up new package to router
scp bin/packages/arm_cortex-a9_vfpv3/packages/nginx_1.12.2-1_arm_cortex-a9_vfpv3.ipk root@router:

# SDK编译

参考：https://www.freesion.com/article/2474294226/

# 配置反向代理

问题：
https模式下，实时监控（netdata）在openwrt的luci中不显示

原因：
netdata的服务（http://192.168.1.1:19999）在http下，在https界面下无法访问

需求：
http://192.168.1.1:8880/netdata ⇒
https://192.168.1.1:8443/netdata ⇒
http://192.168.1.1:19999

效果：
在这里插入图片描述

配置：

/etc/config/nginx

config main global
        option uci_enable 'true'

config server '_lan'
        list listen '8443 ssl default_server'
        list listen '[::]:8443 ssl default_server'
        option server_name '_lan'
        list include 'restrict_locally'
        list include 'conf.d/*.locations'
        option uci_manage_ssl 'self-signed'
        option ssl_certificate     '/etc/sslcert/nginx_lan.crt'
        option ssl_certificate_key '/etc/sslcert/nginx_lan.key'
        option ssl_session_cache 'shared:SSL:32k'
        option ssl_session_timeout '64m'
        ##################
        # access_log path format
        # option access_log 'off; # logd openwrt'
        option access_log '/var/log/nginx/access_log.log openwrt'
        ##################
        # error_log path level
        # level: debug | info | notice | warn | error | crit | alert | emerg
        option error_log '/var/log/nginx/error_log.log info'
        ##################

config server '_redirect2ssl'
        list listen '8880'
        list listen '[::]:8880'
        option server_name '_redirect2ssl'
        option return '302 https://$host:8443$request_uri'


# write /etc/nginx/conf.d/reverse_proxy.locations
# config server '_ssl2netdata'
#       list listen '19998 ssl'
#       option server_name '_ssl2netdata_server_name'
#       list proxy_set_header 'Host $host'
#       list proxy_set_header 'X-Real-IP $remote_addr'
#       list proxy_set_header 'X-Forwarded-For $proxy_add_x_forwarded_for'
#       list proxy_set_header 'X-Forwarded-Proto $scheme'
#       option proxy_pass       'http://localhost:19999'

/etc/nginx/uci.conf.template

# Consider using UCI or creating files in /etc/nginx/conf.d/ for configuration.
# Parsing UCI configuration is skipped if uci set nginx.global.uci_enable=false
# For details see: https://openwrt.org/docs/guide-user/services/webserver/nginx

worker_processes auto;

user root;

events {}

http {

        access_log off; # logd openwrt
        log_format openwrt
                '$request_method $scheme://$host$request_uri => $status'
                ' (${body_bytes_sent}B in ${request_time}s) <- $http_referer';

        #
        # write /etc/config/nginx
        #
        # access_log /proc/self/fd/1 openwrt;
        # access_log logd openwrt; # logd openwrt
        #
        # 证书
        #
        # ssl_certificate     '/etc/sslcert/nginx_lan.crt';
        # ssl_certificate_key '/etc/sslcert/nginx_lan.key';

        include mime.types;
        default_type application/octet-stream;
        sendfile on;

        client_max_body_size 128M;
        large_client_header_buffers 2 1k;

        gzip on;
        gzip_vary on;
        gzip_proxied any;

        root /www;

        #UCI_HTTP_CONFIG
        include conf.d/*.conf;
}

/etc/nginx/conf.d/reverse_proxy.locations

location /netdata/ {
      proxy_set_header Host                             $host;
      proxy_set_header X-Real-IP                        $remote_addr;
      proxy_set_header X-Forwarded-For                  $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto                $scheme;
      proxy_pass       http://127.0.0.1:19999/;
      # return 302 https://$host:8443$request_uri;

}

修改页面

root@openwrt_d2550:/# find / -name netdata
/etc/init.d/netdata
/etc/netdata
/lib/upgrade/keep.d/netdata
/overlay/upper/etc/netdata
/overlay/upper/usr/lib/lua/luci/view/netdata
/overlay/upper/usr/share/netdata
/rom/etc/init.d/netdata
/rom/etc/netdata
/rom/lib/upgrade/keep.d/netdata
/rom/usr/lib/lua/luci/view/netdata
/rom/usr/lib/netdata
/rom/usr/sbin/netdata
/rom/usr/share/netdata
/tmp/cache/netdata
/tmp/lib/netdata
/tmp/log/netdata
/usr/lib/lua/luci/view/netdata
/usr/lib/netdata
/usr/sbin/netdata
/usr/share/netdata
root@openwrt_d2550:/# vim /usr/lib/lua/luci/view/netdata/netdata.htm
root@openwrt_d2550:/# cat /usr/lib/lua/luci/view/netdata/netdata.htm
<%+header%>
<div class="cbi-map">
        <h2 name="content"><%=translate("NetData")%></h2>
        <iframe id="netdata" style="width: 100%; min-height: 1200px; border: none; border-radius: 3px;"></iframe>
</div>
<script type="text/javascript">
        // document.getElementById("netdata").src = "http://" + window.location.hostname + ":19999";
        document.getElementById("netdata").src = "https://" + window.location.hostname + ":8443/netdata";
</script>
<%+footer%>
root@openwrt_d2550:/#

添加备份

https://192.168.1.1:8443/cgi-bin/luci/admin/system/flashops/backupfiles

## This file contains files and directories that should
## be preserved during an upgrade.

## this file is '/etc/sysupgrade.conf'
## what config of ipk will be backuped is indicated in '/lib/upgrade/keep.d/'

# /etc/example.conf
# /etc/openvpn/


/usr/lib/lua/luci/view/netdata/

查看备份信息是否添加成功
https://192.168.1.1:8443/cgi-bin/luci/admin/system/flashops/backupfiles?display=list

...
/usr/lib/lua/luci/view/netdata/netdata.htm
/usr/lib/lua/luci/view/netdata/netdata.htm.bak
...

备份。。。

# 群晖内置nginx配置

root@nas50:~# nginx -V
nginx version: nginx/1.16.1
TLS SNI support enabled

root@nas50:~# cat /etc/nginx/nginx.conf
# Copyright (c) 2000-2017 Synology Inc. All rights reserved.

worker_processes        auto;
#worker_cpu_affinity    auto;
worker_rlimit_nofile    65535;

include conf.d/main.conf;

events {
    use             epoll;
    multi_accept    on;
    accept_mutex    off;
    worker_connections 1024;

    include conf.d/events.conf;
}

http {
    include         mime.types;
    default_type    application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
        '$status $body_bytes_sent "$http_referer" '
        '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  off;
    #access_log syslog:server=unix:/dev/log,facility=local7,tag=nginx_access,nohostname main;
    error_log   syslog:server=unix:/dev/log,facility=local7,tag=nginx_error,nohostname error;

    tcp_nopush  on;
    tcp_nodelay on;

    sendfile        on;
    server_tokens   off;

    proxy_request_buffering     off;
    fastcgi_request_buffering   off;
    scgi_request_buffering      off;

    proxy_buffering     off;
    fastcgi_buffering   off;
    scgi_buffering      off;

    resolver_timeout              5s;
    client_header_timeout         10s;
    client_body_timeout           60s;
    send_timeout                  60s;
    keepalive_timeout             65s 20s;
    client_max_body_size          0;
    server_names_hash_max_size    8192;
    server_names_hash_bucket_size 128;

    ssl_certificate           /usr/syno/etc/certificate/system/default/fullchain.pem;
    ssl_certificate_key       /usr/syno/etc/certificate/system/default/privkey.pem;
    ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers               ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
    ssl_dhparam               /usr/syno/etc/ssl/dh2048.pem;
    ssl_prefer_server_ciphers on;

    ssl_session_tickets       off;
    ssl_session_cache         shared:SSL:1m;
    ssl_session_timeout       3600s;

    real_ip_header            X-Forwarded-For;
    real_ip_recursive         on;
    set_real_ip_from          127.0.0.1;

    include     /var/tmp/nginx/trusted_proxy/*.conf;

    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }

    server_tag     "nginx";

    gzip_disable    "msie6";
    gzip_min_length 1000;
    gzip_types      text/plain text/css application/javascript application/json;
    gzip_vary       on;
    gzip_static     on;

    open_file_cache          max=1000 inactive=60s;
    open_file_cache_valid    3s;
    open_file_cache_min_uses 2;
    open_file_cache_errors   on;

    upstream synoscgi {
        server unix:/run/synoscgi.sock;
    }

    index index.html index.htm index.php;

    server {
        listen 5000 default_server;
        listen [::]:5000 default_server;

        server_name _;

        gzip on;

        include app.d/alias.*.conf;
        root /usr/syno/synoman;
        index index.cgi;

        ignore_invalid_headers off;

        include app.d/dsm.*.conf;
        include /usr/syno/share/nginx/conf.d/dsm.*.conf;
        include conf.d/dsm.*.conf;

        location = / {
            try_files $uri /index.cgi$is_args$query_string;
        }

        location ~ ^/volume(?:X|USB|SATA|Gluster)?\d+/ {
            internal;

            root /;

            open_file_cache off;

            include app.d/x-accel.*.conf;
            include conf.d/x-accel.*.conf;
        }

        location ~ /webman/modules/(PersonalSettings|ExternalDevices|FileBrowser)/index_ds.php$ {
            alias /usr/syno/share/OAuth/index_ds.php;
            default_type text/html;
        }

        location ~ \.cgi {
            include     scgi_params;
            scgi_pass   synoscgi;

            scgi_read_timeout   3600s;
        }

        error_page 403 404 500 502 503 504 @error_page;

        location @error_page {
            root /usr/syno/share/nginx;
            rewrite (.*) /error.html break;
            allow all;
        }

        location ~ ^/webman/modules/Indexer/ {
            deny all;
        }

        location ~ ^/webapi/lib/ {
            deny all;
        }

        location ~ ^/webapi/(:?(:?.*)\.lib|(:?.*)\.api|(:?.*)\.auth|lib.def)$ {
            deny all;
        }

        location ~ /\. { access_log off; log_not_found off; deny all; }

        location ~* \.(?:js|css|png|jpg|gif|ico)$ {
            access_log off;
            log_not_found off;
        }

        location = /favicon.ico {
            access_log off;
            log_not_found off;
        }

        location = /robots.txt {
            allow all;
            access_log off;
            log_not_found off;
        }

    }

    server {
        listen 5001 default_server ssl;
        listen [::]:5001 default_server ssl;

        server_name _;

        include app.d/alias.*.conf;
        root /usr/syno/synoman;
        index index.cgi;

        ignore_invalid_headers off;

        include app.d/dsm.*.conf;
        include /usr/syno/share/nginx/conf.d/dsm.*.conf;
        include conf.d/dsm.*.conf;

        location = / {
            try_files $uri /index.cgi$is_args$query_string;
        }

        location ~ ^/volume(?:X|USB|SATA|Gluster)?\d+/ {
            internal;

            root /;

            open_file_cache off;

            include app.d/x-accel.*.conf;
            include conf.d/x-accel.*.conf;
        }

        location ~ /webman/modules/(PersonalSettings|ExternalDevices|FileBrowser)/index_ds.php$ {
            alias /usr/syno/share/OAuth/index_ds.php;
            default_type text/html;
        }

        location ~ \.cgi {
            include     scgi_params;
            scgi_pass   synoscgi;

            scgi_read_timeout   3600s;
        }

        error_page 403 404 500 502 503 504 @error_page;

        location @error_page {
            root /usr/syno/share/nginx;
            rewrite (.*) /error.html break;
            allow all;
        }

        location ~ ^/webman/modules/Indexer/ {
            deny all;
        }

        location ~ ^/webapi/lib/ {
            deny all;
        }

        location ~ ^/webapi/(:?(:?.*)\.lib|(:?.*)\.api|(:?.*)\.auth|lib.def)$ {
            deny all;
        }

        location ~ /\. { access_log off; log_not_found off; deny all; }

        location ~* \.(?:js|css|png|jpg|gif|ico)$ {
            access_log off;
            log_not_found off;
        }

        location = /favicon.ico {
            access_log off;
            log_not_found off;
        }

        location = /robots.txt {
            allow all;
            access_log off;
            log_not_found off;
        }

    }

    server {
        listen 80 default_server;
        listen [::]:80 default_server;

        gzip on;

        server_name _;

        location ~ ^/volume(?:X|USB|SATA|Gluster)?\d+/ {
            internal;

            root /;

            open_file_cache off;

            include app.d/x-accel.*.conf;
            include conf.d/x-accel.*.conf;
        }

        include app.d/www.*.conf;
        include app.d/alias.*.conf;
        include /usr/syno/share/nginx/conf.d/www.*.conf;
        include conf.d/www.*.conf;

        location = /webdefault/images/logo.jpg {
            alias /usr/syno/share/nginx/logo.jpg;
        }

        error_page 403 404 500 502 503 504 @error_page;

        location @error_page {
            root /usr/syno/share/nginx;
            rewrite (.*) /error.html break;
            allow all;
        }

        location ^~ /.well-known/acme-challenge {
            root /var/lib/letsencrypt;
            default_type text/plain;
        }

        include app.d/.location.webstation.conf*;

        location / {
            rewrite ^ / redirect;
        }

        location ~ ^/$ {
            rewrite / http://$host:5000/ redirect;
        }
    }

    server {
        listen 443 default_server ssl;
        listen [::]:443 default_server ssl;

        server_name _;

        location ~ ^/volume(?:X|USB|SATA|Gluster)?\d+/ {
            internal;

            root /;

            open_file_cache off;

            include app.d/x-accel.*.conf;
            include conf.d/x-accel.*.conf;
        }

        include app.d/www.*.conf;
        include app.d/alias.*.conf;
        include /usr/syno/share/nginx/conf.d/www.*.conf;
        include conf.d/www.*.conf;

        location = /webdefault/images/logo.jpg {
            alias /usr/syno/share/nginx/logo.jpg;
        }

        error_page 403 404 500 502 503 504 @error_page;

        location @error_page {
            root /usr/syno/share/nginx;
            rewrite (.*) /error.html break;
            allow all;
        }

        location ^~ /.well-known/acme-challenge {
            root /var/lib/letsencrypt;
            default_type text/plain;
        }

        include app.d/.location.webstation.conf*;

        location / {
            rewrite ^ / redirect;
        }

        location ~ ^/$ {
            rewrite / https://$host:5001/ redirect;
        }
    }

    include conf.d/http.*.conf;
    include app.d/server.*.conf;
    include sites-enabled/*;
}