【笔记】openwrt - nginx编译、配置反向代理（https下netdata不显示）

文章目录

# 完整交叉编译
# 完整交叉编译ssl
# SDK编译
# 配置反向代理
# 群晖内置nginx配置

# 完整交叉编译

参考：https://servertesa.wordpress.com/2011/05/22/how-to-compile-and-configure-nginx-on-openwrt/

前提：编译了一次openwrt的环境
（编译教程：【速记】openwrt - 编译、刷固件https://lawsssscat.blog.csdn.net/article/details/103744761）

Note, nginx is not on openwrt base package. So you must download additional package (feeds).

./scripts/feeds update -a
./scripts/feeds install -a
make menuconfig

On ‘make menuconfig’ select Network->nginx
Compiling nginx is very easy, thanks to openwrt developers!

 make menuconfig

choose Network->Nginx

make ./package/feeds/packages/nginx/compile

The nginx package will be placed at bin/[board_arch]/packages/nginx_0.7.67-3_ar71xx.ipk . In tplink tl wr1043nd : bin/ar71xx/packages/nginx_0.7.67-3_ar71xx.ipk

Configure Nginx

create nginx root directory

mkdir /www-nginx/default -p

Edit /etc/nginx/nginx.conf:

change the user from nobody to root
change nginx root directory to /www-nginx/default
this is the diff file

--- nginx.conf.ori Mon Mar 14 12:21:24 2011
+++ nginx.conf Tue Apr  6 08:53:37 2010
@@ -1,5 +1,5 @@-#user  nobody;
+user  root;worker_processes  1;#error_log  logs/error.log;
@@ -41,7 +41,7 @@#access_log  logs/host.access.log  main;location / {
-            root   html;
+            root   /www-nginx/default;index  index.html index.htm;}

Testing the configuration
create simple html file on /www-nginx/default/index.html.
Stop openwrt default web server and start nginx

/etc/init.d/uhttpd stop
/etc/init.d/nginx star

# 完整交叉编译ssl

# OpenWrt/LEDE source
git clone https://github.com/openwrt/openwrt.git
cd openwrt
git checkout v18.06.0# Make/Build OpenWRT
make menuconfig # Target System (Marvell Armada 37x/38x/XP) | Target Profile (Linksys WRT1900ACv2 (Cobra))
make V=s# Make/Build nginx with SSL
./scripts/feeds update
./scripts/feeds install nginx
make menuconfig # Network > Web Servers/Proxies > nginx (M) > nginx > Configuration > Enable SSL Module (Y)
make -j5# Copy up new package to router
scp bin/packages/arm_cortex-a9_vfpv3/packages/nginx_1.12.2-1_arm_cortex-a9_vfpv3.ipk root@router:

# SDK编译

参考：https://www.freesion.com/article/2474294226/

# 配置反向代理

问题：
https模式下，实时监控（netdata）在openwrt的luci中不显示

原因：
netdata的服务（http://192.168.1.1:19999）在http下，在https界面下无法访问

需求：
http://192.168.1.1:8880/netdata ⇒
https://192.168.1.1:8443/netdata ⇒
http://192.168.1.1:19999

效果：

配置：

/etc/config/nginx

config main globaloption uci_enable 'true'config server '_lan'list listen '8443 ssl default_server'list listen '[::]:8443 ssl default_server'option server_name '_lan'list include 'restrict_locally'list include 'conf.d/*.locations'option uci_manage_ssl 'self-signed'option ssl_certificate     '/etc/sslcert/nginx_lan.crt'option ssl_certificate_key '/etc/sslcert/nginx_lan.key'option ssl_session_cache 'shared:SSL:32k'option ssl_session_timeout '64m'################### access_log path format# option access_log 'off; # logd openwrt'option access_log '/var/log/nginx/access_log.log openwrt'################### error_log path level# level: debug | info | notice | warn | error | crit | alert | emergoption error_log '/var/log/nginx/error_log.log info'##################config server '_redirect2ssl'list listen '8880'list listen '[::]:8880'option server_name '_redirect2ssl'option return '302 https://$host:8443$request_uri'# write /etc/nginx/conf.d/reverse_proxy.locations
# config server '_ssl2netdata'
#       list listen '19998 ssl'
#       option server_name '_ssl2netdata_server_name'
#       list proxy_set_header 'Host $host'
#       list proxy_set_header 'X-Real-IP $remote_addr'
#       list proxy_set_header 'X-Forwarded-For $proxy_add_x_forwarded_for'
#       list proxy_set_header 'X-Forwarded-Proto $scheme'
#       option proxy_pass       'http://localhost:19999'

/etc/nginx/uci.conf.template

# Consider using UCI or creating files in /etc/nginx/conf.d/ for configuration.
# Parsing UCI configuration is skipped if uci set nginx.global.uci_enable=false
# For details see: https://openwrt.org/docs/guide-user/services/webserver/nginxworker_processes auto;user root;events {}http {access_log off; # logd openwrtlog_format openwrt'$request_method $scheme://$host$request_uri => $status'' (${body_bytes_sent}B in ${request_time}s) <- $http_referer';## write /etc/config/nginx## access_log /proc/self/fd/1 openwrt;# access_log logd openwrt; # logd openwrt## 证书## ssl_certificate     '/etc/sslcert/nginx_lan.crt';# ssl_certificate_key '/etc/sslcert/nginx_lan.key';include mime.types;default_type application/octet-stream;sendfile on;client_max_body_size 128M;large_client_header_buffers 2 1k;gzip on;gzip_vary on;gzip_proxied any;root /www;#UCI_HTTP_CONFIGinclude conf.d/*.conf;
}

/etc/nginx/conf.d/reverse_proxy.locations

location /netdata/ {proxy_set_header Host                             $host;proxy_set_header X-Real-IP                        $remote_addr;proxy_set_header X-Forwarded-For                  $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto                $scheme;proxy_pass       http://127.0.0.1:19999/;# return 302 https://$host:8443$request_uri;}

修改页面

root@openwrt_d2550:/# find / -name netdata
/etc/init.d/netdata
/etc/netdata
/lib/upgrade/keep.d/netdata
/overlay/upper/etc/netdata
/overlay/upper/usr/lib/lua/luci/view/netdata
/overlay/upper/usr/share/netdata
/rom/etc/init.d/netdata
/rom/etc/netdata
/rom/lib/upgrade/keep.d/netdata
/rom/usr/lib/lua/luci/view/netdata
/rom/usr/lib/netdata
/rom/usr/sbin/netdata
/rom/usr/share/netdata
/tmp/cache/netdata
/tmp/lib/netdata
/tmp/log/netdata
/usr/lib/lua/luci/view/netdata
/usr/lib/netdata
/usr/sbin/netdata
/usr/share/netdata
root@openwrt_d2550:/# vim /usr/lib/lua/luci/view/netdata/netdata.htm
root@openwrt_d2550:/# cat /usr/lib/lua/luci/view/netdata/netdata.htm
<%+header%>
<div class="cbi-map"><h2 name="content"><%=translate("NetData")%></h2><iframe id="netdata" style="width: 100%; min-height: 1200px; border: none; border-radius: 3px;"></iframe>
</div>
<script type="text/javascript">// document.getElementById("netdata").src = "http://" + window.location.hostname + ":19999";document.getElementById("netdata").src = "https://" + window.location.hostname + ":8443/netdata";
</script>
<%+footer%>
root@openwrt_d2550:/#

添加备份

https://192.168.1.1:8443/cgi-bin/luci/admin/system/flashops/backupfiles

## This file contains files and directories that should
## be preserved during an upgrade.## this file is '/etc/sysupgrade.conf'
## what config of ipk will be backuped is indicated in '/lib/upgrade/keep.d/'# /etc/example.conf
# /etc/openvpn//usr/lib/lua/luci/view/netdata/

查看备份信息是否添加成功
https://192.168.1.1:8443/cgi-bin/luci/admin/system/flashops/backupfiles?display=list

...
/usr/lib/lua/luci/view/netdata/netdata.htm
/usr/lib/lua/luci/view/netdata/netdata.htm.bak
...

备份。。。

# 群晖内置nginx配置

root@nas50:~# nginx -V
nginx version: nginx/1.16.1
TLS SNI support enabled

root@nas50:~# cat /etc/nginx/nginx.conf
# Copyright (c) 2000-2017 Synology Inc. All rights reserved.worker_processes        auto;
#worker_cpu_affinity    auto;
worker_rlimit_nofile    65535;include conf.d/main.conf;events {use             epoll;multi_accept    on;accept_mutex    off;worker_connections 1024;include conf.d/events.conf;
}http {include         mime.types;default_type    application/octet-stream;log_format  main  '$remote_addr - $remote_user [$time_local] "$request" ''$status $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';access_log  off;#access_log syslog:server=unix:/dev/log,facility=local7,tag=nginx_access,nohostname main;error_log   syslog:server=unix:/dev/log,facility=local7,tag=nginx_error,nohostname error;tcp_nopush  on;tcp_nodelay on;sendfile        on;server_tokens   off;proxy_request_buffering     off;fastcgi_request_buffering   off;scgi_request_buffering      off;proxy_buffering     off;fastcgi_buffering   off;scgi_buffering      off;resolver_timeout              5s;client_header_timeout         10s;client_body_timeout           60s;send_timeout                  60s;keepalive_timeout             65s 20s;client_max_body_size          0;server_names_hash_max_size    8192;server_names_hash_bucket_size 128;ssl_certificate           /usr/syno/etc/certificate/system/default/fullchain.pem;ssl_certificate_key       /usr/syno/etc/certificate/system/default/privkey.pem;ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;ssl_ciphers               ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;ssl_dhparam               /usr/syno/etc/ssl/dh2048.pem;ssl_prefer_server_ciphers on;ssl_session_tickets       off;ssl_session_cache         shared:SSL:1m;ssl_session_timeout       3600s;real_ip_header            X-Forwarded-For;real_ip_recursive         on;set_real_ip_from          127.0.0.1;include     /var/tmp/nginx/trusted_proxy/*.conf;map $http_upgrade $connection_upgrade {default upgrade;''      close;}server_tag     "nginx";gzip_disable    "msie6";gzip_min_length 1000;gzip_types      text/plain text/css application/javascript application/json;gzip_vary       on;gzip_static     on;open_file_cache          max=1000 inactive=60s;open_file_cache_valid    3s;open_file_cache_min_uses 2;open_file_cache_errors   on;upstream synoscgi {server unix:/run/synoscgi.sock;}index index.html index.htm index.php;server {listen 5000 default_server;listen [::]:5000 default_server;server_name _;gzip on;include app.d/alias.*.conf;root /usr/syno/synoman;index index.cgi;ignore_invalid_headers off;include app.d/dsm.*.conf;include /usr/syno/share/nginx/conf.d/dsm.*.conf;include conf.d/dsm.*.conf;location = / {try_files $uri /index.cgi$is_args$query_string;}location ~ ^/volume(?:X|USB|SATA|Gluster)?\d+/ {internal;root /;open_file_cache off;include app.d/x-accel.*.conf;include conf.d/x-accel.*.conf;}location ~ /webman/modules/(PersonalSettings|ExternalDevices|FileBrowser)/index_ds.php$ {alias /usr/syno/share/OAuth/index_ds.php;default_type text/html;}location ~ \.cgi {include     scgi_params;scgi_pass   synoscgi;scgi_read_timeout   3600s;}error_page 403 404 500 502 503 504 @error_page;location @error_page {root /usr/syno/share/nginx;rewrite (.*) /error.html break;allow all;}location ~ ^/webman/modules/Indexer/ {deny all;}location ~ ^/webapi/lib/ {deny all;}location ~ ^/webapi/(:?(:?.*)\.lib|(:?.*)\.api|(:?.*)\.auth|lib.def)$ {deny all;}location ~ /\. { access_log off; log_not_found off; deny all; }location ~* \.(?:js|css|png|jpg|gif|ico)$ {access_log off;log_not_found off;}location = /favicon.ico {access_log off;log_not_found off;}location = /robots.txt {allow all;access_log off;log_not_found off;}}server {listen 5001 default_server ssl;listen [::]:5001 default_server ssl;server_name _;include app.d/alias.*.conf;root /usr/syno/synoman;index index.cgi;ignore_invalid_headers off;include app.d/dsm.*.conf;include /usr/syno/share/nginx/conf.d/dsm.*.conf;include conf.d/dsm.*.conf;location = / {try_files $uri /index.cgi$is_args$query_string;}location ~ ^/volume(?:X|USB|SATA|Gluster)?\d+/ {internal;root /;open_file_cache off;include app.d/x-accel.*.conf;include conf.d/x-accel.*.conf;}location ~ /webman/modules/(PersonalSettings|ExternalDevices|FileBrowser)/index_ds.php$ {alias /usr/syno/share/OAuth/index_ds.php;default_type text/html;}location ~ \.cgi {include     scgi_params;scgi_pass   synoscgi;scgi_read_timeout   3600s;}error_page 403 404 500 502 503 504 @error_page;location @error_page {root /usr/syno/share/nginx;rewrite (.*) /error.html break;allow all;}location ~ ^/webman/modules/Indexer/ {deny all;}location ~ ^/webapi/lib/ {deny all;}location ~ ^/webapi/(:?(:?.*)\.lib|(:?.*)\.api|(:?.*)\.auth|lib.def)$ {deny all;}location ~ /\. { access_log off; log_not_found off; deny all; }location ~* \.(?:js|css|png|jpg|gif|ico)$ {access_log off;log_not_found off;}location = /favicon.ico {access_log off;log_not_found off;}location = /robots.txt {allow all;access_log off;log_not_found off;}}server {listen 80 default_server;listen [::]:80 default_server;gzip on;server_name _;location ~ ^/volume(?:X|USB|SATA|Gluster)?\d+/ {internal;root /;open_file_cache off;include app.d/x-accel.*.conf;include conf.d/x-accel.*.conf;}include app.d/www.*.conf;include app.d/alias.*.conf;include /usr/syno/share/nginx/conf.d/www.*.conf;include conf.d/www.*.conf;location = /webdefault/images/logo.jpg {alias /usr/syno/share/nginx/logo.jpg;}error_page 403 404 500 502 503 504 @error_page;location @error_page {root /usr/syno/share/nginx;rewrite (.*) /error.html break;allow all;}location ^~ /.well-known/acme-challenge {root /var/lib/letsencrypt;default_type text/plain;}include app.d/.location.webstation.conf*;location / {rewrite ^ / redirect;}location ~ ^/$ {rewrite / http://$host:5000/ redirect;}}server {listen 443 default_server ssl;listen [::]:443 default_server ssl;server_name _;location ~ ^/volume(?:X|USB|SATA|Gluster)?\d+/ {internal;root /;open_file_cache off;include app.d/x-accel.*.conf;include conf.d/x-accel.*.conf;}include app.d/www.*.conf;include app.d/alias.*.conf;include /usr/syno/share/nginx/conf.d/www.*.conf;include conf.d/www.*.conf;location = /webdefault/images/logo.jpg {alias /usr/syno/share/nginx/logo.jpg;}error_page 403 404 500 502 503 504 @error_page;location @error_page {root /usr/syno/share/nginx;rewrite (.*) /error.html break;allow all;}location ^~ /.well-known/acme-challenge {root /var/lib/letsencrypt;default_type text/plain;}include app.d/.location.webstation.conf*;location / {rewrite ^ / redirect;}location ~ ^/$ {rewrite / https://$host:5001/ redirect;}}include conf.d/http.*.conf;include app.d/server.*.conf;include sites-enabled/*;
}