一、域名托管到cloudflare
登录cloudflare->添加站点->填写域名(例如阿里云)->继续选择free套餐->继续->保存cloudflare分配的DNS地址->进入阿里云域名管理->进入DNS管理/DNS修改把DNS地址修改为cloudflare分配的两个DNS->保存->回到cloudflare->网站中域名打上对号表示托管成功(修改DNS成功后cloudflare会发邮件一般几分钟就配置成功了)->进入网站/SSL/TLS开启始终使用HTTPS就可以免费使用SSL
二、加速访问GitHub
登录cloudflare->Workers 和 Pages->创建->创建 Worker->保存->进入刚创建的Worker->编辑代码worker.js修改为以下代码->保存部署->进入刚刚的Worker->设置/触发器中添加自定义域名因为cloudflare自动分配的域名访问慢->通过自定义域名就可以畅快的访问GitHub了
// 你要镜像的网站.
const upstream = 'github.com'
// 镜像网站的目录,比如你想镜像某个网站的二级目录则填写二级目录的目录名,镜像 google 用不到,默认即可.
const upstream_path = '/'
// 镜像站是否有手机访问专用网址,没有则填一样的.
const upstream_mobile = 'github.com'
// 屏蔽国家和地区.
const blocked_region = ['KP', 'SY', 'PK', 'CU']
// 屏蔽 IP 地址.
const blocked_ip_address = ['0.0.0.0', '127.0.0.1']
// 镜像站是否开启 HTTPS.
const https = true
// 文本替换.
const replace_dict = {'$upstream': '$custom_domain', '//github.com': ''}
// 以下保持默认,不要动
addEventListener('fetch', event => {
event.respondWith(fetchAndApply(event.request))
})
async function fetchAndApply(request) {
const region = request.headers.get('cf-ipcountry').toUpperCase()
const ip_address = request.headers.get('cf-connecting-ip')
const user_agent = request.headers.get('user-agent')
let response = null
let url = new URL(request.url)
let url_hostname = url.hostname
if (https == true) {
url.protocol = 'https:'
} else {
url.protocol = 'http:'
}
if (await device_status(user_agent)) {
var upstream_domain = upstream
} else {
var upstream_domain = upstream_mobile
}
url.host = upstream_domain
if (url.pathname == '/') {
url.pathname = upstream_path
} else {
url.pathname = upstream_path + url.pathname
}
if (blocked_region.includes(region)) {
response = new Response('Access denied: WorkersProxy is not available in your region yet.', {
status: 403
})
} else if (blocked_ip_address.includes(ip_address)) {
response = new Response('Access denied: Your IP address is blocked by WorkersProxy.', {
status: 403
})
} else {
let method = request.method
let request_headers = request.headers
let new_request_headers = new Headers(request_headers)
new_request_headers.set('Host', url.hostname)
new_request_headers.set('Referer', url.hostname)
let original_response = await fetch(url.href, {
method: method,
headers: new_request_headers
})
let original_response_clone = original_response.clone()
let original_text = null
let response_headers = original_response.headers
let new_response_headers = new Headers(response_headers)
let status = original_response.status
new_response_headers.set('access-control-allow-origin', '*')
new_response_headers.set('access-control-allow-credentials', true)
new_response_headers.delete('content-security-policy')
new_response_headers.delete('content-security-policy-report-only')
new_response_headers.delete('clear-site-data')
const content_type = new_response_headers.get('content-type')
if (content_type.includes('text/html') && content_type.includes('UTF-8')) {
original_text = await replace_response_text(original_response_clone, upstream_domain, url_hostname)
} else {
original_text = original_response_clone.body
}
response = new Response(original_text, {
status,
headers: new_response_headers
})
}
return response
}
async function replace_response_text(response, upstream_domain, host_name) {
let text = await response.text()
var i, j
for (i in replace_dict) {
j = replace_dict[i]
if (i == '$upstream') {
i = upstream_domain
} else if (i == '$custom_domain') {
i = host_name
}
if (j == '$upstream') {
j = upstream_domain
} else if (j == '$custom_domain') {
j = host_name
}
let re = new RegExp(i, 'g')
text = text.replace(re, j)
}
return text
}
async function device_status(user_agent_info) {
var agents = ["Android", "iPhone", "SymbianOS", "Windows Phone", "iPad", "iPod"]
var flag = true
for (var v = 0; v < agents.length; v++) {
if (user_agent_info.indexOf(agents[v]) > 0) {
flag = false
break
}
}
return flag
}
三、部署cloudflare项目
# 方式一
在cloudflare管理页面创建worker然后通过在线编辑直接修改worker.js保存部署,此方法适合简单的js或已经编译好的js->给worker配置自定义域名
# 方式二
通过cloudflare项目部署页面:https://deploy.workers.cloudflare.com/?url=cloudflare项目的github地址->进入cloudflare给worker配置自定义域名
适合cloudflare项目源码部署并且可以通过github的action实现代码提交自动部署到cloudflare
此方法首先授权github权限给cloudflare,cloudflare会fork项目到你的github同时将cloudflare worker的相关信息保存到github项目的Secrets and variables中
# 方式三
通过cloudflare cli命令行部署,首先clone项目或者自己的项目->进入项目目录->安装cli(npm install wrangler --save-dev,npx wrangler -v命令可以查看版本和node/npm是否兼容)->登录(npx wrangler login,npx可以找到项目中的可执行文件)->修改wrangler.toml文件中的account_id="npx wrangler whomi"和name="xxx"->部署(npx wrangler deploy)->进入cloudflare给worker配置自定义域名
如果项目用到命名空间可以通过cli创建(npx wrangler kv:namespace create xxx)->把namespaces配置到wrangler.toml中(kv_namespaces = [{ binding = "变量名", id = "namespacesID" }])
# cloudflare 优秀项目
https://igdux.com/workers
https://github.com/zhuima/awesome-cloudflare
docker加速(方式二)-https://github.com/ciiiii/cloudflare-docker-proxy
docker加速(方式三)-https://github.com/ImSingee/hammal
docker加速worker部署好后就可以把配置worker域名配置到docker的/etc/docker/daemon.json中
Containerd加速需配置到Containerd配置中
# github加速,采用方式一,worker.js如下
// 你要镜像的网站.
const upstream = 'github.com'
// 镜像网站的目录,比如你想镜像某个网站的二级目录则填写二级目录的目录名,镜像 google 用不到,默认即可.
const upstream_path = '/'
// 镜像站是否有手机访问专用网址,没有则填一样的.
const upstream_mobile = 'github.com'
// 屏蔽国家和地区.
const blocked_region = ['KP', 'SY', 'PK', 'CU']
// 屏蔽 IP 地址.
const blocked_ip_address = ['0.0.0.0', '127.0.0.1']
// 镜像站是否开启 HTTPS.
const https = true
// 文本替换.
const replace_dict = {'$upstream': '$custom_domain', '//github.com': ''}
// 以下保持默认,不要动
addEventListener('fetch', event => {
event.respondWith(fetchAndApply(event.request))
})
async function fetchAndApply(request) {
const region = request.headers.get('cf-ipcountry').toUpperCase()
const ip_address = request.headers.get('cf-connecting-ip')
const user_agent = request.headers.get('user-agent')
let response = null
let url = new URL(request.url)
let url_hostname = url.hostname
if (https == true) {
url.protocol = 'https:'
} else {
url.protocol = 'http:'
}
if (await device_status(user_agent)) {
var upstream_domain = upstream
} else {
var upstream_domain = upstream_mobile
}
url.host = upstream_domain
if (url.pathname == '/') {
url.pathname = upstream_path
} else {
url.pathname = upstream_path + url.pathname
}
if (blocked_region.includes(region)) {
response = new Response('Access denied: WorkersProxy is not available in your region yet.', {
status: 403
})
} else if (blocked_ip_address.includes(ip_address)) {
response = new Response('Access denied: Your IP address is blocked by WorkersProxy.', {
status: 403
})
} else {
let method = request.method
let request_headers = request.headers
let new_request_headers = new Headers(request_headers)
new_request_headers.set('Host', url.hostname)
new_request_headers.set('Referer', url.hostname)
let original_response = await fetch(url.href, {
method: method,
headers: new_request_headers
})
let original_response_clone = original_response.clone()
let original_text = null
let response_headers = original_response.headers
let new_response_headers = new Headers(response_headers)
let status = original_response.status
new_response_headers.set('access-control-allow-origin', '*')
new_response_headers.set('access-control-allow-credentials', true)
new_response_headers.delete('content-security-policy')
new_response_headers.delete('content-security-policy-report-only')
new_response_headers.delete('clear-site-data')
const content_type = new_response_headers.get('content-type')
if (content_type.includes('text/html') && content_type.includes('UTF-8')) {
original_text = await replace_response_text(original_response_clone, upstream_domain, url_hostname)
} else {
original_text = original_response_clone.body
}
response = new Response(original_text, {
status,
headers: new_response_headers
})
}
return response
}
async function replace_response_text(response, upstream_domain, host_name) {
let text = await response.text()
var i, j
for (i in replace_dict) {
j = replace_dict[i]
if (i == '$upstream') {
i = upstream_domain
} else if (i == '$custom_domain') {
i = host_name
}
if (j == '$upstream') {
j = upstream_domain
} else if (j == '$custom_domain') {
j = host_name
}
let re = new RegExp(i, 'g')
text = text.replace(re, j)
}
return text
}
async function device_status(user_agent_info) {
var agents = ["Android", "iPhone", "SymbianOS", "Windows Phone", "iPad", "iPod"]
var flag = true
for (var v = 0; v < agents.length; v++) {
if (user_agent_info.indexOf(agents[v]) > 0) {
flag = false
break
}
}
return flag
}
# github加速 end
四、加速docker镜像
# 部署docker加速项目到cloudflare worker中
https://github.com/ciiiii/cloudflare-docker-proxy和https://github.com/ImSingee/hammal两个项目都可以实现docker加速部署方式参考上面步骤,两个都支持k8s.gcr.io, gcr.io, quay.io的镜像加速,hammal每个worker一次只支持配置一个(handler.ts中的DEFAULT_BACKEND_HOST)另一个可以同时配置多个(src/index中配置https://registry-1.docker.io、quay.io、gcr.io、k8s.gcr.io、registry.k8s.io、ghcr.io、docker.cloudsmith.io等,每个地址需要配置一个单独的域名)
# 修改配置
配置worker域名配置到docker的/etc/docker/daemon.json中的registry-mirrors中并重启这样docker pull imagesname就可以加速了,也可以单独通过docker pull host/imagesname来加速下载某个镜像,不过修改docker配置只适用docker hub的加速而Containerd支持任意registry的mirror
Containerd是从docker分离出来的docker对容器的管理和操作基本都是通过containerd完成的,docker安装后默认containerd就安装了,Containerd有ctr、runc等命令(containerd config default查看默认配置、ctr images ls查看镜像、ctr images pull imagesname拉取镜像、ctr run -t imagesname:name运行容器),k8s中则使用crictl命令,docker、k8s和containerd的镜像通用但是管理方式不同导致docker、ctr、crictl命令不通用
在k8s、containerd、和Rancher的RKE2中都可以通过配置containerd来实现镜像代理
# containerd-v2配置
修改配置文件/etc/containerd/config.toml
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = "/etc/containerd/certs.d" # 镜像地址配置文件
[plugins."io.containerd.grpc.v1.cri".registry.auths]
[plugins."io.containerd.grpc.v1.cri".registry.configs]
[plugins."io.containerd.grpc.v1.cri".registry.configs."x.x.x.x:x".tls]
insecure_skip_verify = true # 是否跳过安全认证
[plugins."io.containerd.grpc.v1.cri".registry.configs."x.x.x.x:x".auth]
username = "admin"
password = "YOUR_HARBOR_PASSWORD"
[plugins."io.containerd.grpc.v1.cri".registry.headers]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = ["https://registry-1.docker.io"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."x.x.x.x:x"]
endpoint = ["http://x.x.x.x:x"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."quay.io"]
endpoint = ["https://x.x.x.x"]
配置文件/etc/containerd/certs.d/docker.io/hosts.toml
server = "https://docker.io" # 默认地址
[host."https://xxx.mirror.aliyuncs.com"]
capabilities = ["pull", "resolve"]
skip_verify = true # 跳过证书校验
ca = "/etc/certs/mirror.pem" # 证书
# RKE2/K3S中配置
因为RKE启动会覆盖容器中的containerd配置所以Rancher通过在/etc/rancher/rke2/registries.yaml中进行配置启动时根据registries.yaml配置自动进行containerd的配置转换
mirrors:
docker.io:
endpoint:
- "https://x.x.x.x:x"
x.x.x.x:
endpoint:
- "https://x.x.x.x:x"
configs:
"x.x.x.x:x":
auth:
username: xxxxxx
password: xxxxxx
tls:
cert_file: ""
key_file: ""
ca_file: ""
insecure_skip_verify: ""
# 重启containerd
systemctl daemon-reload;systemctl restart containerd然后就可以直接拉取Docker Hub、gcr.io 和quay.io的镜像了,不需要修改任何前缀,Containerd会根据配置自动选择相应的代理URL拉取镜像