通过 Nginx 与 Cloudflare Workers 反向代理常见服务(Docker、Github、Telegram)
Docker
Nginx
TIP
使用 1Panel 的还需要将 Nginx 自带配置中的 proxy_set_header Host $host;
注释掉
nginx
location / {
proxy_pass https://registry-1.docker.io; # Docker Hub 的官方镜像仓库
proxy_set_header Host registry-1.docker.io;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 关闭缓存
proxy_buffering off;
# 转发认证相关的头部
proxy_set_header Authorization $http_authorization;
proxy_pass_header Authorization;
# 对 upstream 状态码检查,实现 error_page 错误重定向
proxy_intercept_errors on;
# error_page 指令默认只检查了第一次后端返回的状态码,开启后可以跟随多次重定向。
recursive_error_pages on;
# 根据状态码执行对应操作,以下为301、302、307状态码都会触发
error_page 301 302 307 = @handle_redirect;
}
location @handle_redirect {
resolver 8.8.8.8;
set $saved_redirect_location '$upstream_http_location';
proxy_pass $saved_redirect_location;
}
Cloudflare Workers
复制 _worker.js 中的代码直接运行即可
使用
- 创建
/etc/docker/daemon.json
文件 - 填入以下内容
json
{
"registry-mirrors": ["https://mirrors.domain.com"]
}
- 重启 Docker
sh
systemctl daemon-reload
systemctl restart docker
参考资料
Github
Nginx
TIP
使用 1Panel 的还需要将 Nginx 自带配置中的 proxy_set_header Host $host;
注释掉
nginx
location /robots.txt {
allow all;
}
location / {
valid_referers none blocked raw.githubusercontent.com github.com;
if ($invalid_referer) {
return 403;
}
proxy_hide_header content-security-policy;
proxy_hide_header Strict-Transport-Security;
proxy_hide_header set-cookie;
proxy_hide_header x-pjax-url;
proxy_set_header Host raw.githubusercontent.com;
proxy_http_version 1.1;
proxy_connect_timeout 5s;
proxy_read_timeout 5s;
proxy_pass https://raw.githubusercontent.com;
}
Cloudflare Workers
js
const hostname = 'api.telegram.org';
addEventListener('fetch', (event) => {
let url = new URL(event.request.url);
url.hostname = hostname;
url.protocol = 'https';
let request = new Request(url, event.request);
event.respondWith(fetch(request));
});
Telegram
Nginx
TIP
使用 1Panel 的还需要将 Nginx 自带配置中的 proxy_set_header Host $host;
注释掉
前缀匹配
nginx
location ^~ /bot {
resolver 8.8.8.8;
proxy_buffering off;
proxy_pass https://api.telegram.org$request_uri;
}
正则匹配
nginx
location ~* ^/bot {
resolver 8.8.8.8;
proxy_buffering off;
proxy_pass https://api.telegram.org$request_uri;
}
Cloudflare Workers
基础版
js
const hostname = 'api.telegram.org';
addEventListener('fetch', (event) => {
let url = new URL(event.request.url);
url.hostname = hostname;
url.protocol = 'https';
let request = new Request(url, event.request);
event.respondWith(fetch(request));
});
进阶版
- 为了防止被滥用,我们希望反代的 API 只有自己的机器人可以使用,因此还可以对请求的链接进行判断
- 在 whitelist 中填入自己的机器人 ID
js
const whitelist = '/botXXXXXXXXXX:';
const hostname = 'api.telegram.org';
addEventListener('fetch', (event) => {
let url = new URL(event.request.url);
url.hostname = hostname;
url.protocol = 'https';
if (!url.pathname.startsWith(whitelist)) {
return new Response('Unauthorized', {
status: 403
});
}
let request = new Request(url, event.request);
event.respondWith(fetch(request));
});
通用反代
使用方式:访问 https://domain.com/yourpath/https://raw.githubusercontent.com/
js
addEventListener('fetch', (event) => {
event.respondWith(handleRequest(event.request));
});
async function handleRequest(request) {
const url = new URL(request.url);
if (!url.pathname.startsWith('/yourpath/')) {
return new Response('Not Found', { status: 404 });
}
const actualUrlStr = url.pathname.replace('/yourpath/', '') + url.search + url.hash;
const actualUrl = new URL(actualUrlStr, url.origin);
const modifiedRequest = new Request(actualUrl, {
headers: request.headers,
method: request.method,
body: request.body,
redirect: 'follow'
});
const response = await fetch(modifiedRequest);
const modifiedResponse = new Response(response.body, response);
modifiedResponse.headers.set('Access-Control-Allow-Origin', '*');
return modifiedResponse;
}
预览: