服务部署与配置笔记

1. Podman Compose 配置

创建网络

podman network create znet

Nginx 服务

services:
  nginx:
    image: docker.io/library/nginx:alpine
    container_name: nginx-proxy
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf:Z
      - ./ssl:/etc/nginx/ssl:Z
    environment:
      - TZ=Asia/Shanghai
    networks:
      - podman-network
networks:
  podman-network:
    external: true
    name: znet

sing-box 服务

services:
  sing-box:
    image: ghcr.io/sagernet/sing-box:latest
    container_name: sing-box
    volumes:
      - ./config.json:/etc/sing-box/config.json:Z
    command: run -c /etc/sing-box/config.json
    environment:
      - TZ=Asia/Shanghai
    networks:
      - podman-network
networks:
  podman-network:
    external: true
    name: znet

Caddy 服务

先建Caddyfile配置文件,自动建的是个文件夹,会报错

services:
  caddy:
    image: docker.io/library/caddy:latest
    container_name: caddy
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./caddy-data:/data
      - ./caddy-config:/config
      - ./website:/srv
      - ./Caddyfile:/etc/caddy/Caddyfile
    environment:
      - TZ=Asia/Shanghai
    networks:
      - podman-network
networks:
  podman-network:
    external: true
    name: znet

2. Caddyfile 配置

安全头配置片段

(zsecurity) {
    header {
        X-Content-Type-Options nosniff
        X-Frame-Options DENY
        X-XSS-Protection "1; mode=block"
        -Server
    }
    encode gzip zstd
}

站点配置

noco.zhaopeng.site {
    import zsecurity
    reverse_proxy 192.168.112.3:8080
}
zing.baidaoya.qzz.io {
    import zsecurity
    
    # 访问日志
    log {
        output stderr
        level ERROR
    }
    
    # WebSocket 转发到 sing-box
    handle /ws/* {
        reverse_proxy singbox:8443 {
            flush_interval -1
            header_up X-Real-IP {remote_host}
            header_up X-Forwarded-For {remote_host}
            header_up X-Forwarded-Proto {scheme}
        }
    }
}

3. sing-box 配置

{
  "log": {
    "disabled": true
  },
  "inbounds": [
    {
      "type": "vless",
      "tag": "vless-ws",
      "listen": "0.0.0.0",
      "listen_port": 8443,
      "users": [
        {
          "uuid": "d985dd4e-2681-11f1-8000-e205889b6281",
          "flow": ""
        }
      ],
      "transport": {
        "type": "ws",
        "path": "/ws",
        "headers": {
          "Host": ["zing.baidaoya.qzz.io"]
        }
      }
    }
  ],
  "outbounds": [
    {
      "type": "direct",
      "tag": "direct"
    }
  ]
}

4. 调试命令

测试 Caddy 容器与 sing-box 的连接

podman exec caddy curl -v http://singbox:8443 2>&1 | head -15

测试 TLS 握手(需要域名已解析)

curl -v https://zing.baidaoya.qzz.io/ws \
     -H "Connection: Upgrade" \
     -H "Upgrade: websocket" \
     2>&1 | head -20

5. 关键点总结

  • 网络:所有服务都连接到一个名为 znet 的外部网络,确保容器间可以通过服务名通信。
  • sing-box:监听 127.0.0.1:8443,仅接受本地连接,实际流量通过 Caddy 转发。
  • Caddy:负责 TLS 终结,并将 WebSocket 流量转发给 sing-box。
  • 安全头:在 Caddy 中统一配置了安全响应头,隐藏 Server 信息。
  • WebSocket 路径/ws/* 被转发到 singbox:8443

标签: none

添加新评论