kevisual/k8s-docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
熊潇
2025-11-26 17:02:14 +08:00
parent 2418891634
commit ba1f52996f
33 changed files with 415 additions and 1216 deletions
Download Patch File Download Diff File Expand all files Collapse all files

82
k8s/xiongxiao.me/clean.sh Executable file
View File

@@ -0,0 +1,82 @@
#!/bin/bash
# 清理 Kubernetes 集群中失败和未就绪的 Pod
# tags: kubernetes, k3s, cleanup, maintenance
# description: 自动清理所有失败、未就绪或处于错误状态的 Pod
# title: Kubernetes Pod 清理脚本
# createdAt: 2025-11-26
set -e
# 颜色定义
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
RED='\033[0;31m'
NC='\033[0m' # No Color
echo "======================================"
echo "Kubernetes Pod 清理脚本"
echo "======================================"
echo ""
# 获取所有失败或未就绪的 Pod
echo -e "${YELLOW}正在扫描失败的 Pod...${NC}"
echo ""
# 查找所有问题 Pod
FAILED_PODS=$(kubectl get pods -A -o json | jq -r '
.items[] |
select(
.status.phase != "Running" and
.status.phase != "Succeeded" or
(.status.containerStatuses // [] | any(.ready == false))
) |
"\(.metadata.namespace) \(.metadata.name) \(.status.phase // "Unknown")"
' 2>/dev/null || echo "")
if [ -z "$FAILED_PODS" ]; then
echo -e "${GREEN}✓ 没有发现失败的 Pod${NC}"
echo ""
exit 0
fi
echo "发现以下问题 Pod"
echo "$FAILED_PODS" | while read namespace name status; do
echo -e "${RED} [$status] $namespace/$name${NC}"
done
echo ""
# 确认删除
read -p "是否删除这些 Pod(y/N): " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
echo -e "${YELLOW}取消清理${NC}"
exit 0
fi
# 删除问题 Pod
echo ""
echo -e "${YELLOW}开始清理...${NC}"
DELETED=0
FAILED=0
echo "$FAILED_PODS" | while read namespace name status; do
if [ -n "$namespace" ] && [ -n "$name" ]; then
printf "删除 ${namespace}/${name} ... "
if kubectl delete pod "$name" -n "$namespace" --grace-period=0 --force 2>/dev/null; then
echo -e "${GREEN}${NC}"
((DELETED++)) || true
else
echo -e "${RED}${NC}"
((FAILED++)) || true
fi
fi
done
echo ""
echo -e "${GREEN}======================================"
echo "清理完成"
echo "======================================${NC}"
echo ""
echo "提示:相关的 Deployment/StatefulSet 会自动重新创建 Pod"
echo ""

91
k8s/xiongxiao.me/deploy-apps.sh
View File

@@ -1,91 +0,0 @@
#!/bin/bash
# Nginx 配置迁移到 K3s + Traefik 部署脚本
# tags: kubernetes, k3s, traefik, deployment, automation
# description: 自动部署外部服务和 IngressRoute 配置的脚本
# title: 自动部署脚本
# createdAt: 2025-11-26
set -e
echo "======================================"
echo "Nginx 配置迁移到 K3s + Traefik"
echo "======================================"
echo ""
# 颜色定义
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
RED='\033[0;31m'
NC='\033[0m' # No Color
# 检查 kubectl
if ! command -v kubectl &> /dev/null; then
echo -e "${RED}错误: kubectl 未安装${NC}"
exit 1
fi
# 检查 Traefik
echo -e "${YELLOW}步骤 1/4: 检查 Traefik 部署状态...${NC}"
if ! kubectl get namespace traefik &> /dev/null; then
echo -e "${YELLOW}Traefik namespace 不存在,正在创建...${NC}"
kubectl create namespace traefik
fi
if ! kubectl get deployment traefik -n traefik &> /dev/null; then
echo -e "${YELLOW}Traefik 未部署,正在部署...${NC}"
kubectl apply -f traefik/traefik-complete.yaml
echo -e "${GREEN}等待 Traefik Pod 就绪...${NC}"
kubectl wait --for=condition=ready pod -l app=traefik -n traefik --timeout=120s
else
echo -e "${GREEN}✓ Traefik 已部署${NC}"
fi
# 部署外部服务
echo ""
echo -e "${YELLOW}步骤 2/4: 部署外部服务配置...${NC}"
kubectl apply -f services/external-services.yaml
echo -e "${GREEN}✓ 外部服务配置已应用${NC}"
# 验证服务
echo ""
echo -e "${YELLOW}步骤 3/4: 验证服务创建...${NC}"
sleep 2
SERVICE_COUNT=$(kubectl get svc -n default | grep -c "external" || true)
ENDPOINT_COUNT=$(kubectl get endpoints -n default | grep -c "external" || true)
echo -e "${GREEN}✓ 创建了 ${SERVICE_COUNT} 个服务${NC}"
echo -e "${GREEN}✓ 创建了 ${ENDPOINT_COUNT} 个 Endpoints${NC}"
# 部署 IngressRoute
echo ""
echo -e "${YELLOW}步骤 4/4: 部署 IngressRoute 配置...${NC}"
kubectl apply -f ingress/apps-ingressroute.yaml
sleep 2
ROUTE_COUNT=$(kubectl get ingressroute -n default 2>/dev/null | grep -c "https" || true)
echo -e "${GREEN}✓ 创建了 ${ROUTE_COUNT} 个 IngressRoute${NC}"
# 显示结果
echo ""
echo -e "${GREEN}======================================"
echo "部署完成!"
echo "======================================${NC}"
echo ""
echo "已部署的服务:"
kubectl get svc -n default | grep external || echo "无"
echo ""
echo "已部署的 IngressRoute"
kubectl get ingressroute -n default || echo "无"
echo ""
echo -e "${YELLOW}提示:${NC}"
echo "1. 查看 Traefik Dashboard:"
echo " kubectl port-forward svc/traefik 8080:8080 -n traefik"
echo " 然后访问 http://localhost:8080/dashboard/"
echo ""
echo "2. 查看 Traefik 日志:"
echo " kubectl logs -n traefik -l app=traefik -f"
echo ""
echo "3. 测试服务访问:"
echo " curl -k https://blinko.xiongxiao.me"
echo ""
echo "4. 确保 DNS 已配置正确,将域名指向 Traefik 的 NodePort (30443)"
echo ""

270
k8s/xiongxiao.me/docs/08-nginx-proxy-modes.md Normal file
View File

@@ -0,0 +1,270 @@
---
title: Nginx 代理模式选择指南
description: 详细说明 Nginx Stream 模式和 HTTP 反向代理模式的区别、适用场景及常见问题解决方案
tags:
- nginx
- proxy
- traefik
- stream
- reverse-proxy
- mime-type
createdAt: 2025-11-26
---
# Nginx 代理模式选择指南
## 问题现象
当使用 Stream 模式转发时,浏览器会报错:
```
Refused to execute script from 'https://npm.xiongxiao.me/-/static/Home.854787d3346e44ccc262.js'
because its MIME type ('') is not executable, and strict MIME type checking is enabled.
```
## 原因分析
Nginx Stream 模式工作在 **TCP/UDP 层**OSI 第 4 层),只做字节流转发,**不解析 HTTP 协议**,因此:
- ❌ 不会处理 HTTP 头信息(包括 Content-Type
- ❌ 不会设置 X-Forwarded-* 头
- ❌ 不支持 WebSocket 协议升级
- ❌ MIME 类型信息丢失
- ✅ 转发效率更高(无需解析 HTTP
## 两种模式对比
### 1. Stream 模式 (nginx-stream-proxy.conf)
**工作层级**: OSI 第 4 层 (TCP/UDP)
**特点**:
- ✅ 性能最优CPU 占用低
- ✅ 适合纯 TCP/UDP 转发
- ❌ 不处理 HTTP 头
- ❌ 不支持基于 HTTP 的负载均衡
- ❌ 无法查看 HTTP 请求细节
**适用场景**:
- MySQL/PostgreSQL 数据库转发
- Redis/MongoDB 等数据库代理
- SSH/SFTP 端口转发
- 纯 TCP 协议转发
- 不需要 HTTP 头信息的场景
**配置示例**:
```nginx
# /etc/nginx/nginx.conf 的 stream {} 块中
stream {
upstream traefik_http {
server 127.0.0.1:30080;
}
server {
listen 80;
proxy_pass traefik_http;
}
}
```
### 2. HTTP 反向代理模式 (nginx-traefik-proxy.conf) ⭐ 推荐
**工作层级**: OSI 第 7 层 (HTTP/HTTPS)
**特点**:
- ✅ 完整的 HTTP 协议支持
- ✅ 保留所有 HTTP 头信息(包括 Content-Type
- ✅ 支持 WebSocket
- ✅ 可以设置自定义头
- ✅ 支持 SSL/TLS 终止
- ✅ 可以记录详细访问日志
- ⚠️ 性能略低于 Stream 模式(差异很小)
**适用场景**:
- Web 应用反向代理 ⭐
- API 网关
- 静态资源服务
- WebSocket 应用
- 需要处理 HTTP 头的场景
**配置示例**:
```nginx
# /etc/nginx/conf.d/traefik-proxy.conf
server {
listen 80;
server_name _;
# 关键:保留 HTTP 头信息
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
location / {
proxy_pass http://127.0.0.1:30080;
}
}
```
## 解决方案
### 当前问题MIME Type 错误
**原因**: 使用了 Stream 模式,导致 Content-Type 头丢失
**解决方法**: 切换到 HTTP 反向代理模式
#### 步骤 1: 停止当前 Nginx 配置
```bash
# 如果使用了 stream 模式配置
sudo rm /etc/nginx/nginx.conf.d/stream/traefik.conf
# 或删除 nginx.conf 中的 stream {} 块
```
#### 步骤 2: 应用 HTTP 反向代理配置
```bash
# 复制配置文件
sudo cp nginx-traefik-proxy.conf /etc/nginx/conf.d/traefik-proxy.conf
# 创建 SSL 证书目录和占位证书(如果需要)
sudo mkdir -p /etc/nginx/ssl
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/nginx/ssl/placeholder.key \
-out /etc/nginx/ssl/placeholder.crt \
-subj "/CN=placeholder"
# 测试配置
sudo nginx -t
# 重载 Nginx
sudo nginx -s reload
```
#### 步骤 3: 验证
```bash
# 检查 HTTP 响应头
curl -I http://npm.xiongxiao.me
# 应该能看到正确的 Content-Type
# Content-Type: application/javascript; charset=utf-8
```
## 性能对比
### Stream 模式
- **延迟**: ~0.1ms
- **吞吐量**: 接近网卡上限
- **CPU 占用**: 极低
- **内存占用**: 极低
### HTTP 反向代理模式
- **延迟**: ~0.5-1ms
- **吞吐量**: 95%+ 网卡性能
- **CPU 占用**: 低
- **内存占用**: 低
**结论**: 对于 Web 应用性能差异可以忽略不计HTTP 反向代理模式是更好的选择。
## 常见问题
### Q1: 为什么 Traefik 后端应用会收到错误的 IP
**原因**: 没有设置 `X-Real-IP``X-Forwarded-For`
**解决**:
```nginx
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
```
### Q2: WebSocket 连接失败
**原因**: 没有配置协议升级
**解决**:
```nginx
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
```
### Q3: HTTPS 证书错误
**原因**:
- HTTP 反向代理模式需要占位证书
- 或者 Traefik 后端使用自签名证书
**解决**:
```nginx
# 创建占位证书
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/nginx/ssl/placeholder.key \
-out /etc/nginx/ssl/placeholder.crt \
-subj "/CN=placeholder"
# 信任后端自签名证书
proxy_ssl_verify off;
```
### Q4: 什么时候用 Stream 模式?
**答**: 仅在以下场景使用 Stream 模式:
- 转发非 HTTP 协议MySQL、Redis、SSH 等)
- 需要最极致的性能(每毫秒都很重要的场景)
- 纯 TCP/UDP 负载均衡
**对于所有 Web 应用,请使用 HTTP 反向代理模式。**
## 推荐配置
### 生产环境标准配置
```nginx
# /etc/nginx/conf.d/traefik-proxy.conf
server {
listen 80;
listen [::]:80;
server_name _;
# 保留客户端信息
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
# WebSocket 支持
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# 缓冲设置(根据实际调整)
proxy_buffering on;
proxy_buffer_size 4k;
proxy_buffers 8 4k;
proxy_busy_buffers_size 8k;
# 超时设置
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
location / {
proxy_pass http://127.0.0.1:30080;
proxy_redirect off;
}
# 日志
access_log /var/log/nginx/traefik-proxy.access.log;
error_log /var/log/nginx/traefik-proxy.error.log warn;
}
```
## 参考资源
- [Nginx Stream Module 文档](http://nginx.org/en/docs/stream/ngx_stream_core_module.html)
- [Nginx HTTP Proxy Module 文档](http://nginx.org/en/docs/http/ngx_http_proxy_module.html)
- [Traefik 官方文档](https://doc.traefik.io/traefik/)

18
k8s/xiongxiao.me/ingress/apps-ingressroute.yaml
View File

@@ -167,24 +167,6 @@ spec:
tls:
certResolver: letsencrypt
---
# NPM - npm.xiongxiao.me
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: npm-https
namespace: default
spec:
entryPoints:
- websecure
routes:
- match: Host(`npm.xiongxiao.me`)
kind: Rule
services:
- name: npm-external
port: 30001
tls:
certResolver: letsencrypt
---
# Gist - gist.xiongxiao.me (支持 WebSocket)
apiVersion: traefik.io/v1alpha1
kind: IngressRoute

3
k8s/xiongxiao.me/ingress/rancher-ingress.yaml
View File

@@ -7,6 +7,7 @@ metadata:
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt # 使用 Let's Encrypt
spec:
ingressClassName: traefik
rules:
@@ -23,4 +24,4 @@ spec:
tls:
- hosts:
- rancher.xiongxiao.me
secretName: tls-rancher-ingress
# secretName: tls-rancher-ingress # 使用自动证书,不需要手动指定 secret

10
k8s/xiongxiao.me/ingress/verdaccio-ingress.yaml
View File

@@ -1,8 +1,12 @@
# NPM - npm.xiongxiao.me
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: verdaccio-ingress
namespace: default
annotations:
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt
spec:
ingressClassName: traefik
rules:
@@ -16,5 +20,7 @@ spec:
name: verdaccio-service
port:
number: 4873
# curl http://verdaccio-service:4873
# wget http://verdaccio-service:4873
tls:
- hosts:
- npm.xiongxiao.me
secretName: npm-xiongxiao-me-tls

0
k8s/xiongxiao.me/nginx/nginx-80.conf Normal file
View File

44
k8s/xiongxiao.me/nginx/nginx-stream-proxy.conf Normal file
View File

@@ -0,0 +1,44 @@
# HTTP 转发 (80 -> 30080) - Let's Encrypt HTTP Challenge 需要
upstream traefik_http {
server 127.0.0.1:30080;
}
server {
listen 80;
listen [::]:80;
proxy_pass traefik_http;
# 优化的超时设置
proxy_timeout 1h;
proxy_connect_timeout 5s;
# Stream 模块支持的选项
proxy_responses 1;
proxy_buffer_size 16k;
}
# HTTPS 转发 (443 -> 30443)
upstream traefik_https {
server 127.0.0.1:30443;
}
server {
listen 443;
listen [::]:443;
# SNI 预读 - 让 Traefik 处理 SSL 证书选择
ssl_preread on;
proxy_pass traefik_https;
# 优化的超时设置
proxy_timeout 1h;
proxy_connect_timeout 5s;
# Stream 模块支持的选项
proxy_responses 1;
proxy_buffer_size 16k;
}

4
k8s/xiongxiao.me/restart.sh Executable file
View File

@@ -0,0 +1,4 @@
kubectl rollout restart deployment/traefik -n traefik
kubectl logs -n traefik -l app=traefik -f

26
k8s/xiongxiao.me/services/external-services.yaml
View File

@@ -239,32 +239,6 @@ subsets:
- port: 9000
name: http
---
# NPM (Verdaccio) 服务 (端口 30001, IP: 10.0.32.6)
apiVersion: v1
kind: Service
metadata:
name: npm-external
namespace: default
spec:
type: ClusterIP
ports:
- port: 30001
targetPort: 30001
protocol: TCP
name: http
---
apiVersion: v1
kind: Endpoints
metadata:
name: npm-external
namespace: default
subsets:
- addresses:
- ip: 10.0.32.6
ports:
- port: 30001
name: http
---
# Gist 服务 (端口 6157, 本地)
apiVersion: v1
kind: Service

88
k8s/xiongxiao.me/test-services.sh
View File

@@ -1,88 +0,0 @@
#!/bin/bash
# 服务连通性测试脚本
# tags: kubernetes, k3s, traefik, testing, health-check
# description: 测试所有已部署服务的连通性和健康状态
# title: 服务测试脚本
# createdAt: 2025-11-26
# 颜色定义
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
RED='\033[0;31m'
NC='\033[0m' # No Color
echo "======================================"
echo "服务连通性测试"
echo "======================================"
echo ""
# 定义所有服务
declare -a SERVICES=(
"blinko.xiongxiao.me"
"chat.xiongxiao.me"
"kevisual.xiongxiao.me"
"www.xiongxiao.me"
"immich.xiongxiao.me"
"cloud.xiongxiao.me"
"docmost.xiongxiao.me"
"drawio.xiongxiao.me"
"minio.xiongxiao.me"
"npm.xiongxiao.me"
"gist.xiongxiao.me"
"webdav.xiongxiao.me"
"esm.xiongxiao.me"
"umami.xiongxiao.me"
"pwd.xiongxiao.me"
"meilisearch.xiongxiao.me"
"memos.xiongxiao.me"
"git.xiongxiao.me"
)
# 统计
TOTAL=${#SERVICES[@]}
SUCCESS=0
FAILED=0
echo "测试 ${TOTAL} 个服务..."
echo ""
# 测试每个服务
for service in "${SERVICES[@]}"; do
printf "%-35s ... " "$service"
# 使用 curl 测试,允许不安全的 SSL (因为是自签名)
# 设置 5 秒超时
if curl -k -s -o /dev/null -w "%{http_code}" --max-time 5 "https://${service}" | grep -qE "^(200|301|302|401|403)$"; then
echo -e "${GREEN}✓ OK${NC}"
((SUCCESS++))
else
echo -e "${RED}✗ FAILED${NC}"
((FAILED++))
fi
done
# 显示结果
echo ""
echo "======================================"
echo "测试结果"
echo "======================================"
echo -e "总计: ${TOTAL}"
echo -e "${GREEN}成功: ${SUCCESS}${NC}"
echo -e "${RED}失败: ${FAILED}${NC}"
echo ""
if [ $FAILED -eq 0 ]; then
echo -e "${GREEN}所有服务测试通过!${NC}"
exit 0
else
echo -e "${YELLOW}部分服务测试失败,请检查:${NC}"
echo "1. Service 和 Endpoints 配置是否正确"
echo "2. 后端服务是否正常运行"
echo "3. 网络连接是否正常"
echo "4. DNS 解析是否正确"
echo ""
echo "查看详细日志:"
echo " kubectl logs -n traefik -l app=traefik"
exit 1
fi

35
k8s/xiongxiao.me/todos/nginx/blinko.conf
View File

@@ -1,35 +0,0 @@
server {
server_name blinko.xiongxiao.me;
client_max_body_size 1024m;
location / {
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_pass http://localhost:3111/;
proxy_pass http://10.0.32.6:3111/;
}
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/blinko.xiongxiao.me/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/blinko.xiongxiao.me/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = blinko.xiongxiao.me) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name blinko.xiongxiao.me;
return 404; # managed by Certbot
}

50
k8s/xiongxiao.me/todos/nginx/chat.conf
View File

@@ -1,50 +0,0 @@
map $http_upgrade $connection_upgrade {
default keep-alive; #默认为keep-alive 可以支持 一般http请求
'websocket' upgrade; #如果为websocket 则为 upgrade 可升级的。
}
server {
server_name chat.xiongxiao.me;
client_max_body_size 200m;
location / {
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_http_version 1.1;
proxy_read_timeout 86400; # 可选的长时间保持 WebSocket 连接
proxy_pass http://localhost:3000/;
}
listen 443 ssl; # managed by Certbot
listen [::]:443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/chat.xiongxiao.me/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/chat.xiongxiao.me/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = chat.xiongxiao.me) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name chat.xiongxiao.me;
return 404; # managed by Certbot
}

34
k8s/xiongxiao.me/todos/nginx/cloud.conf
View File

@@ -1,34 +0,0 @@
server {
server_name cloud.xiongxiao.me;
client_max_body_size 1024m;
location / {
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:5212/;
}
listen 443 ssl; # managed by Certbot
listen [::]:443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/cloud.xiongxiao.me/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/cloud.xiongxiao.me/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = cloud.xiongxiao.me) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name cloud.xiongxiao.me;
return 404; # managed by Certbot
}

45
k8s/xiongxiao.me/todos/nginx/docmost.conf
View File

@@ -1,45 +0,0 @@
map $http_upgrade $connection_upgrade {
default keep-alive; #默认为keep-alive 可以支持 一般http请求
'websocket' upgrade; #如果为websocket 则为 upgrade 可升级的。
}
server {
server_name docmost.xiongxiao.me;
client_max_body_size 1024m;
location / {
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_http_version 1.1;
proxy_read_timeout 86400; # 可选的长时间保持 WebSocket 连接
proxy_pass http://localhost:3011/;
}
listen 443 ssl; # managed by Certbot
listen [::]:443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/docmost.xiongxiao.me/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/docmost.xiongxiao.me/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}server {
if ($host = docmost.xiongxiao.me) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name docmost.xiongxiao.me;
return 404; # managed by Certbot
}

48
k8s/xiongxiao.me/todos/nginx/drawio.conf
View File

@@ -1,48 +0,0 @@
map $http_upgrade $connection_upgrade {
default keep-alive; #默认为keep-alive 可以支持 一般http请求
'websocket' upgrade; #如果为websocket 则为 upgrade 可升级的。
}
server {
server_name drawio.xiongxiao.me;
client_max_body_size 1024m;
location / {
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_http_version 1.1;
proxy_read_timeout 86400; # 可选的长时间保持 WebSocket 连接
proxy_pass http://localhost:13000/;
}
listen 443 ssl; # managed by Certbot
listen [::]:443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/drawio.xiongxiao.me/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/drawio.xiongxiao.me/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = drawio.xiongxiao.me) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name drawio.xiongxiao.me;
return 404; # managed by Certbot
}

47
k8s/xiongxiao.me/todos/nginx/esm.conf
View File

@@ -1,47 +0,0 @@
map $http_upgrade $connection_upgrade {
default keep-alive; #默认为keep-alive 可以支持 一般http请求
'websocket' upgrade; #如果为websocket 则为 upgrade 可升级的。
}
server {
listen 80;
listen [::]:80;
server_name esm.xiongxiao.me;
client_max_body_size 1200m;
location / {
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_http_version 1.1;
proxy_read_timeout 86400; # 可选的长时间保持 WebSocket 连接
proxy_pass http://localhost:12000;
}
}
server {
server_name esm.xiongxiao.me;
location / {
# root /root/web;
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:12000;
}
client_max_body_size 2048M;
listen 443 ssl; # managed by Certbot
listen [::]:443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/esm.xiongxiao.me/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/esm.xiongxiao.me/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

48
k8s/xiongxiao.me/todos/nginx/gist.conf
View File

@@ -1,48 +0,0 @@
map $http_upgrade $connection_upgrade {
default keep-alive; #默认为keep-alive 可以支持 一般http请求
'websocket' upgrade; #如果为websocket 则为 upgrade 可升级的。
}
server {
server_name gist.xiongxiao.me;
client_max_body_size 1024m;
location / {
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_http_version 1.1;
proxy_read_timeout 86400; # 可选的长时间保持 WebSocket 连接
proxy_pass http://localhost:6157/;
}
listen 443 ssl; # managed by Certbot
listen [::]:443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/gist.xiongxiao.me/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/gist.xiongxiao.me/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = gist.xiongxiao.me) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name gist.xiongxiao.me;
return 404; # managed by Certbot
}

39
k8s/xiongxiao.me/todos/nginx/git.xx.conf
View File

@@ -1,39 +0,0 @@
server {
#填写绑定证书的域名
server_name git.xiongxiao.me;
#把http的域名请求转成https
#rewrite ^(.*)$ https://${server_name}$1 permanent;
# return 301 https://$host$request_uri;
location / {
# root /root/web;
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_pass http://10.0.0.10:3000/;
proxy_pass http://10.0.32.6:3000/;
}
client_max_body_size 2048M;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/git.xiongxiao.me/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/git.xiongxiao.me/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = git.xiongxiao.me) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name git.xiongxiao.me;
return 404; # managed by Certbot
}

50
k8s/xiongxiao.me/todos/nginx/home.mz.conf
View File

@@ -1,50 +0,0 @@
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on; # ✅ 启用 HTTP/2
server_name home.mz.xiongxiao.me;
client_max_body_size 240m;
# SSL 配置
ssl_certificate /etc/letsencrypt/live/home.mz.xiongxiao.me/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/home.mz.xiongxiao.me/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# 提升 WebSocket 支持
proxy_http_version 1.1;
location ~* \.(gif|png|jpg|css|js|woff|woff2)$ {
proxy_pass http://xionmi.mz.zxj.im:8123;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400;
expires 12h;
add_header Cache-Control "public";
}
location / {
proxy_pass http://xionmi.mz.zxj.im:8123/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400;
add_header X-Cache $upstream_cache_status;
add_header Cache-Control no-cache;
}
}
server {
listen 80;
listen [::]:80;
server_name home.mz.xiongxiao.me;
return 301 https://$host$request_uri;
}

48
k8s/xiongxiao.me/todos/nginx/immich.conf
View File

@@ -1,48 +0,0 @@
map $http_upgrade $connection_upgrade {
default keep-alive; #默认为keep-alive 可以支持 一般http请求
'websocket' upgrade; #如果为websocket 则为 upgrade 可升级的。
}
server {
server_name immich.xiongxiao.me;
client_max_body_size 1024m;
location / {
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_http_version 1.1;
proxy_read_timeout 86400; # 可选的长时间保持 WebSocket 连接
proxy_pass http://localhost:2283/;
}
listen 443 ssl; # managed by Certbot
listen [::]:443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/immich.xiongxiao.me/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/immich.xiongxiao.me/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = immich.xiongxiao.me) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name immich.xiongxiao.me;
return 404; # managed by Certbot
}

85
k8s/xiongxiao.me/todos/nginx/kevisual.conf
View File

@@ -1,85 +0,0 @@
map $http_upgrade $connection_upgrade {
default keep-alive; #默认为keep-alive 可以支持 一般http请求
'websocket' upgrade; #如果为websocket 则为 upgrade 可升级的。
}
server {
server_name kevisual.xiongxiao.me;
#add_header Access-Control-Allow-Origin *;
#add_header Access-Control-Allow-Credentials true;
#add_header Access-Control-Allow-Methods GET,POST;
client_max_body_size 200m;
location / {
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_http_version 1.1;
proxy_read_timeout 86400; # 可选的长时间保持 WebSocket 连接
proxy_pass http://localhost:3005/;
}
location /api/proxy {
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_buffering off;
proxy_http_version 1.1;
proxy_read_timeout 86400; # 可选的长时间保持 WebSocket 连接
proxy_pass http://localhost:3005/api/proxy;
}
location /api {
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_buffering off;
proxy_http_version 1.1;
proxy_read_timeout 86400; # 可选的长时间保持 WebSocket 连接
proxy_pass http://localhost:4005/api;
}
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/kevisual.xiongxiao.me/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/kevisual.xiongxiao.me/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = kevisual.xiongxiao.me) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name kevisual.xiongxiao.me;
return 404; # managed by Certbot
}

42
k8s/xiongxiao.me/todos/nginx/look-good.conf
View File

@@ -1,42 +0,0 @@
server {
server_name look-good.xiongxiao.me;
client_max_body_size 1024m;
root /var/www/book/look-good;
index index.html index.htm;
# 更安全的访问控制
location / {
try_files $uri $uri.html $uri/ =404;
}
# 隐藏 .git 等敏感文件
location ~ /\.(git|svn|hg) {
deny all;
}
# 日志路径可自定义
access_log /var/log/nginx/look-good.access.log;
error_log /var/log/nginx/look-good.error.log;
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/look-good.xiongxiao.me/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/look-good.xiongxiao.me/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = look-good.xiongxiao.me) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name look-good.xiongxiao.me;
return 404; # managed by Certbot
}

34
k8s/xiongxiao.me/todos/nginx/meilisearch.conf
View File

@@ -1,34 +0,0 @@
server {
server_name meilisearch.xiongxiao.me;
client_max_body_size 1024m;
location / {
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:7700/;
}
listen 443 ssl; # managed by Certbot
listen [::]:443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/meilisearch.xiongxiao.me/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/meilisearch.xiongxiao.me/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = meilisearch.xiongxiao.me) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name meilisearch.xiongxiao.me;
return 404; # managed by Certbot
}

43
k8s/xiongxiao.me/todos/nginx/memos.conf
View File

@@ -1,43 +0,0 @@
server {
if ($host = memos.xiongxiao.me) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
#填写绑定证书的域名
server_name memos.xiongxiao.me memos.zxj.im;
#把http的域名请求转成https
rewrite ^(.*)$ https://${server_name}$1 permanent;
# return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
#填写绑定证书的域名
server_name memos.xiongxiao.me;
#网站主页路径。此路径仅供参考,具体请您按照实际目录操作。
# root /root/web;
index index.html index.htm;
#证书文件名称
#ssl_certificate /etc/nginx/conf/short.xiongxiao.me_bundle.crt;
#私钥文件名称
#ssl_certificate_key /etc/nginx/conf/short.xiongxiao.me.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
# root /root/web;
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://10.0.32.6:8181/;
}
ssl_certificate /etc/letsencrypt/live/memos.xiongxiao.me/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/memos.xiongxiao.me/privkey.pem; # managed by Certbot
}

49
k8s/xiongxiao.me/todos/nginx/minio.conf
View File

@@ -1,49 +0,0 @@
map $http_upgrade $connection_upgrade {
default keep-alive; #默认为keep-alive 可以支持 一般http请求
'websocket' upgrade; #如果为websocket 则为 upgrade 可升级的。
}
server {
server_name minio.xiongxiao.me;
client_max_body_size 200m;
location / {
proxy_pass http://127.0.0.1:9000/;
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_http_version 1.1;
proxy_read_timeout 86400; # 可选的长时间保持 WebSocket 连接
}
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/minio.xiongxiao.me/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/minio.xiongxiao.me/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = minio.xiongxiao.me) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name minio.xiongxiao.me;
return 404; # managed by Certbot
}

35
k8s/xiongxiao.me/todos/nginx/npm.conf
View File

@@ -1,35 +0,0 @@
server {
server_name npm.xiongxiao.me;
client_max_body_size 24m;
location / {
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_pass http://10.0.0.10:4873/;
proxy_pass http://10.0.32.6:30001/;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/npm.xiongxiao.me/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/npm.xiongxiao.me/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = npm.xiongxiao.me) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name npm.xiongxiao.me;
return 404; # managed by Certbot
}

44
k8s/xiongxiao.me/todos/nginx/pwd.conf
View File

@@ -1,44 +0,0 @@
server {
if ($host = pwd.xiongxiao.me) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
#填写绑定证书的域名
server_name pwd.xiongxiao.me;
#把http的域名请求转成https
rewrite ^(.*)$ https://${server_name}$1 permanent;
# return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
#填写绑定证书的域名
server_name pwd.xiongxiao.me;
#网站主页路径。此路径仅供参考,具体请您按照实际目录操作。
# root /root/web;
index index.html index.htm;
#证书文件名称
#ssl_certificate /etc/nginx/conf/short.xiongxiao.me_bundle.crt;
#私钥文件名称
#ssl_certificate_key /etc/nginx/conf/short.xiongxiao.me.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
# root /root/web;
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8180/;
}
ssl_certificate /etc/letsencrypt/live/pwd.xiongxiao.me/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/pwd.xiongxiao.me/privkey.pem; # managed by Certbot
}

47
k8s/xiongxiao.me/todos/nginx/unami.conf
View File

@@ -1,47 +0,0 @@
map $http_upgrade $connection_upgrade {
default keep-alive; #默认为keep-alive 可以支持 一般http请求
'websocket' upgrade; #如果为websocket 则为 upgrade 可升级的。
}
server {
server_name umami.xiongxiao.me;
index index.html;
client_max_body_size 1024m;
location / {
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_http_version 1.1;
proxy_read_timeout 86400; # 可选的长时间保持 WebSocket 连接
proxy_pass http://localhost:4004;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/umami.xiongxiao.me/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/umami.xiongxiao.me/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = umami.xiongxiao.me) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name umami.xiongxiao.me;
return 404; # managed by Certbot
}

50
k8s/xiongxiao.me/todos/nginx/webdav.conf
View File

@@ -1,50 +0,0 @@
map $http_upgrade $connection_upgrade {
default keep-alive; #默认为keep-alive 可以支持 一般http请求
'websocket' upgrade; #如果为websocket 则为 upgrade 可升级的。
}
server {
server_name webdav.xiongxiao.me;
client_max_body_size 2024m;
location / {
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_http_version 1.1;
proxy_read_timeout 86400; # 可选的长时间保持 WebSocket 连接
proxy_pass http://localhost:6060;
}
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/webdav.xiongxiao.me/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/webdav.xiongxiao.me/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = webdav.xiongxiao.me) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name webdav.xiongxiao.me;
return 404; # managed by Certbot
}

42
k8s/xiongxiao.me/todos/nginx/www.xiongxiao.me.conf
View File

@@ -1,42 +0,0 @@
server {
server_name www.xiongxiao.me;
index index.html index.htm index.nginx-debian.html;
client_max_body_size 24m;
location / {
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_http_version 1.1;
proxy_read_timeout 86400; # 可选的长时间保持 WebSocket 连接
proxy_pass http://localhost:3005/;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/www.xiongxiao.me/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.xiongxiao.me/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.xiongxiao.me) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name www.xiongxiao.me;
return 404; # managed by Certbot
}

10
k8s/xiongxiao.me/traefik/traefik-complete.yaml
View File

@@ -130,7 +130,6 @@ spec:
labels:
app: traefik
spec:
hostNetwork: true
serviceAccountName: traefik
containers:
- name: traefik
@@ -141,12 +140,10 @@ spec:
- --providers.kubernetescrd
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
# HTTP 自动重定向到 HTTPS
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entrypoints.web.http.redirections.entrypoint.scheme=https
# Let's Encrypt 配置
- --certificatesresolvers.letsencrypt.acme.email=root@xiongxiao.me
- --certificatesresolvers.letsencrypt.acme.storage=/acme/acme.json
- --certificatesresolvers.letsencrypt.acme.httpchallenge=true
- --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
# 使用 Let's Encrypt 生产环境(如果测试,使用 caserver)
# - --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
@@ -172,19 +169,22 @@ metadata:
name: traefik
namespace: traefik
spec:
type: ClusterIP
type: NodePort
selector:
app: traefik
ports:
- name: web
port: 80
targetPort: 80
nodePort: 30080 # 外部通过 30080 访问 HTTP
- name: websecure
port: 443
targetPort: 443
nodePort: 30443 # 外部通过 30443 访问 HTTPS
- name: admin
port: 8080
targetPort: 8080
nodePort: 30808 # Dashboard
---
apiVersion: networking.k8s.io/v1
kind: IngressClass

70
k8s/xiongxiao.me/undeploy-apps.sh
View File

@@ -1,70 +0,0 @@
#!/bin/bash
# Nginx 配置迁移卸载脚本
# tags: kubernetes, k3s, traefik, cleanup, uninstall
# description: 卸载所有已部署的外部服务和 IngressRoute 配置
# title: 卸载脚本
# createdAt: 2025-11-26
set -e
echo "======================================"
echo "卸载 K3s 外部服务配置"
echo "======================================"
echo ""
# 颜色定义
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
RED='\033[0;31m'
NC='\033[0m' # No Color
# 确认卸载
read -p "确认要卸载所有外部服务和 IngressRoute 配置吗?(y/N): " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
echo -e "${YELLOW}取消卸载${NC}"
exit 0
fi
# 删除 IngressRoute
echo ""
echo -e "${YELLOW}步骤 1/2: 删除 IngressRoute...${NC}"
if kubectl get ingressroute -n default &> /dev/null; then
kubectl delete -f k8s/xiongxiao.me/ingress/apps-ingressroute.yaml || true
echo -e "${GREEN}✓ IngressRoute 已删除${NC}"
else
echo -e "${YELLOW}无 IngressRoute 需要删除${NC}"
fi
# 删除外部服务
echo ""
echo -e "${YELLOW}步骤 2/2: 删除外部服务和 Endpoints...${NC}"
if kubectl get svc -n default | grep -q external; then
kubectl delete -f k8s/xiongxiao.me/services/external-services.yaml || true
echo -e "${GREEN}✓ 外部服务已删除${NC}"
else
echo -e "${YELLOW}无外部服务需要删除${NC}"
fi
# 验证清理
echo ""
echo -e "${YELLOW}验证清理结果...${NC}"
REMAINING_SVC=$(kubectl get svc -n default | grep -c "external" || true)
REMAINING_ROUTES=$(kubectl get ingressroute -n default 2>/dev/null | grep -c "https" || true)
if [ "$REMAINING_SVC" -eq 0 ] && [ "$REMAINING_ROUTES" -eq 0 ]; then
echo -e "${GREEN}✓ 所有配置已清理完成${NC}"
else
echo -e "${RED}警告: 仍有 ${REMAINING_SVC} 个服务和 ${REMAINING_ROUTES} 个路由${NC}"
fi
echo ""
echo -e "${GREEN}======================================"
echo "卸载完成!"
echo "======================================${NC}"
echo ""
echo -e "${YELLOW}注意: Traefik 本身未被删除${NC}"
echo "如需删除 Traefik请运行"
echo " kubectl delete -f k8s/xiongxiao.me/traefik/traefik-complete.yaml"
echo ""